Enabling Federal Information Processing Standards (FIPS) support for Infrastructure Automation
Learn how to enable FIPS and run Infrastructure Automation on a FIPS-compliant system.
To enable support you need to install Infrastructure Automation on a Red Hat OpenShift Container Platform cluster that is running in a FIPS enabled mode. You also need to complete some tasks before you begin installing Infrastructure Automation on your cluster and complete other tasks while you are installing Infrastructure Automation. Depending on whether you plan to enable or set up some optional integrations, you might need to further complete tasks after your finish installing to ensure your integrations support FIPS.
Important: You can only enable FIPS support when you are installing. You cannot upgrade a non-FIPS enabled environment to a FIPS enabled environment. You also cannot backup an Infrastructure Automation from a non-FIPS enabled environment and restore it into a FIPS enabled environment.
To enable FIPS support, complete the following tasks during your overall cluster and Infrastructure Automation installation:
-
Installing Red Hat OpenShift Container Platform and storage tasks required for compliance.
These tasks must be completed when you are installing your Red Hat OpenShift Container Platform cluster and configuring your storage before you begin to install Infrastructure Automation on your OpenShift cluster.
-
Installing Infrastructure Automation tasks required for compliance
While installing Infrastructure Automation you do need to complete some other required tasks to ensure you enable your environment to support FIPS:
-
Optional. Conditional tasks required for compliance
Depending on the components that you plan to install in, or integrate with, your Infrastructure Automation environment, you need to complete other tasks to enable FIPS support. For instance if you plan to enable Managed services, you need to configure the deployment to support FIPS.
Installing Red Hat OpenShift Container Platform and storage tasks required for compliance
- Enable FIPS support for your Red Hat OpenShift Container Platform cluster
- Enable FIPS support for your storage
1. Enable FIPS support for your Red Hat OpenShift Container Platform cluster
You must enable FIPS support on your Red Hat OpenShift Container Platform cluster before you proceed with installing Infrastructure Automation. When you are installing Infrastructure Automation, the installation process automatically detects whether FIPS support is enabled on your Red Hat OpenShift Container Platform cluster. If FIPS is enabled on Red Hat OpenShift Container Platform, FIPS support is automatically enabled for Infrastructure Automation.
To enable FIPS for Infrastructure Automation, you must first enable FIPS support on your Red Hat OpenShift Container Platform cluster by completing the following tasks as part of installing Red Hat OpenShift Container Platform:
-
Enable FIPS mode on all of your nodes. For more information, see the Red Hat OpenShift Container Platform documentation about Support for FIPS cryptography
-
Install Red Hat OpenShift Container Platform in FIPS mode. For more information, see the Red Hat OpenShift Container Platform documentation about Installing a cluster in FIPS mode.
Restriction: FIPS is supported only on x86_64 hardware.
-
Configure TLS protection for your node-to-node communication. Node-to-node communication must be TLS protected at all times.
Recommended: Configure IPSec tunnels for communication between nodes in your cluster. IPSec is the validated and recommended method for implementing security across nodes for IBM Cloud Pak for AIOps. If you require a different method to secure your nodes, you can use your preferred method.
With IPsec enabled, all network traffic between nodes on the OVN-Kubernetes Container Network Interface (CNI) cluster network travels through an encrypted tunnel. IPsec is disabled by default when you install OpenShift 4.x clusters. IPsec encryption can be enabled only during cluster installation and cannot be disabled after it is enabled.
For more information about configuring IPsec encryption on Red Hat OpenShift Container Platform, see the Red Hat OpenShift Container Platform documentation about Configuring IPsec encryption.
2. Enable FIPS support for your storage
If your deployment's storage must be FIPS compliant, enable any FIPS settings and support for your chosen storage. Refer to your storage provider's documentation to ensure that your storage meets this requirement.
Red Hat® OpenShift® Data Foundation and FIPS
Red Hat® OpenShift® Data Foundation uses FIPS 140-2 certified cryptographic modules. You must use cluster wide encryption, and not encrypt persistent volumes individually. This is because Red Hat OpenShift Data Foundation persistent volume encryption is only available for block storage, and one of IBM Cloud Pak for AIOps's components, Zen, requires file storage. For more information, see the topic Cluster-wide encryption in the Red Hat OpenShift Data Foundation documentation.
Portworx and FIPS
Portworx uses FIPS 140-2 certified cryptographic modules. Portworx can encrypt each of the persistent volumes individually, or can encrypt the whole storage cluster. For more information, see the topic Create encrypted PVCs in the Portworx documentation.
Installing Infrastructure Automation tasks required for compliance
With your storage configured, continue your installation of Infrastructure Automation on your cluster.
Ensure that you complete the required installation tasks for compliance while you are installing Infrastructure Automation. These tasks must be completed while you are initially installing Infrastructure Automation.
For more information about, and instructions, for installing Infrastructure Automation overall, see Installating Infrastructure Automation.
Enable two-factor authentication (2FA)
To secure your environment with multi-factor authentication, you can configure single sign-on (SSO) between Infrastructure Automation and an identity provider that supports 2FA, such as IBM Security Verify. The identity provider's 2FA mechanism can then be used to authenticate Infrastructure Automation user login. Consult your chosen identity provider's documentation to setup 2FA.
For more information about IBM Security Verify, see IBM Security Verify.
Blog: A blog that provides an example of setting up single sign-on between a IBM Cloud Pak and IBM Security Verify is here: Tutorial: IBM Cloud Pak single sign-on (SSO) integration with IBM Security Verify.
Conditional tasks required for compliance
The following tasks are required depending on the components that you plan to enable for your Infrastructure Automation environment:
Deploy Infrastructure Automation - Managed services in FIPS mode
If you need to deploy Managed services in your FIPS enabled environment, you can deploy the component after you complete your install by editing the IAConfig
settings. This task can be completed after you complete your initial
installation, but needs to be completed when you are initially deploying Managed services.
-
Use the OpenShift (
oc
) CLI to log in to your OpenShift cluster and switch to the project (namespace) where Infrastructure Automation is installed. -
Run the following command to open the
IAConfig
configuration for editing:oc -n <namespace> edit IAConfig
Where
<namespace
is the project (namespace) where Infrastructure Automation is installed. -
Search for the
spec
section and edit the configuration to include the settings to deploy Managed services (ibm-management-cam-install
) in FIPS mode (enableFIPS: true
). Your updated configuration for deploying managed services can resemble the following example spec:spec: imagePullSecret: ibm-entitlement-key infraAutoComposableComponents: - enabled: true name: ibm-management-im-install spec: {} - enabled: true name: ibm-management-cam-install spec: manageservice: global: enableFIPS: true license: accept: true license: accept: true