Configuring FIPS on 2.0.2 Cloud Pak for Data System

Use the configure_fips.py script to manage FIPS settings on 2.0.2 Cloud Pak for Data System. FIPS is disabled by default.

About this task

The script is located on every control node at: /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_fips.py.

This script can be run from any control node and it will apply the changes on all the control nodes. Note that all control nodes need to be rebooted for changes to be effective, which means you need to run the system shutdown and startup steps as described in this task.

The log file is located in /var/log/appliance/platform/xcat/configure_fips.log.tracelog.

Usage:

/opt/ibm/appliance/platform/xcat/scripts/xcat/configure_fips.py --h

[root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_fips.py -h
usage: configure_fips.py [-h] [--enable] [--disable] [--check_status]

This script will manages fips settings

optional arguments:
  -h, --help      show this help message and exit
  --enable
  --disable
  --check_status
[root@e1n1 ~]#

--enable

This option enables the FIPS on every node. The same can be verified by running --check_status option of script.

Example:

[root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_fips.py --enable 

[root@e1n1 ~]#   // reboot all the nodes by following steps under Procedure section 

[root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_fips.py --check_status
On node e1n1 - FIPS mode is enabled.

On node e2n1 - FIPS mode is enabled.

On node e3n1 - FIPS mode is enabled.

Done
[root@e1n1 ~]#

--disable

This option disables the FIPS on every node. The same can be verified by running --check_status option of script.

Example:

[root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_fips.py --disable

[root@e1n1 ~]#    // reboot all the nodes by following steps under Procedure section 

[root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_fips.py --check_status
On node e1n1 - FIPS mode is disabled.

On node e2n1 - FIPS mode is disabled.

On node e3n1 - FIPS mode is disabled.

Done
[root@e1n1 ~]#

--check_status

This option checks FIPS status on every control node.

Example:

[root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_fips.py --check_status
On node e1n1 - FIPS mode is disabled.

On node e2n1 - FIPS mode is disabled.

On node e3n1 - FIPS mode is disabled.

Done
[root@e1n1 ~]#

When you run --check_status on 2.0.2 system where FIPS was never enabled before, you get the following output:

[root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_fips.py --check_status
On node e1n1 - Installation of FIPS modules is not completed.
FIPS mode is disabled.

On node e1n2 - Installation of FIPS modules is not completed.
FIPS mode is disabled.

On node e1n3 - Installation of FIPS modules is not completed.
FIPS mode is disabled.

Done
[root@e1n1 ~]#

To enable FIPS, run the following commands from any of the control nodes. Then you must reboot ALL the nodes in the system as described.

Procedure

Run the following commands:

To enable FIPS:

/opt/ibm/appliance/platform/xcat/scripts/xcat/configure_fips.py --enable

To disable FIPS:

/opt/ibm/appliance/platform/xcat/scripts/xcat/configure_fips.py --disable

Restart the nodes as in the following steps:

Run the ap state -d command on e1n1 to verify that the system is active and ready:

ap state -d

System state is 'Ready'
Application state is 'Ready'
Platform management state is 'Active'

NPS systems only: Run the following steps:
Note: In the following examples the NPS namespace is named nps-1. In case of multitenant deployments, the commands must be run for each NPS namespace. The following command can be used to identify all NPS namespaces:
```
oc get sts --all-namespaces | grep ipshost  | awk '{print $1}'
```
1. Run nzstop from the host container:
```
oc exec -it ipshost-0 -n nps-1 -- bash -c "su - nz -c 'nzstop'"
```
2. Scale down the NPS host pod:
```
oc scale statefulset.apps/ipshost --replicas=0 -n nps-1
```
Stop the system and services. Run the commands on e1n1:
```
apstop
```
```
apstop --service
```
Shut down GPFS file system from the first control node e1n1:
```
systemctl stop nfs-server
```
```
mmumount all -a
```
```
mmshutdown -a
```

Verify GPFS file systems are unmounted by running:

mmlsmount all -L

[root@e1n1 ~]# mmlsmount all -L
mmcommon: mmremote command cannot be executed. Either none of the
nodes in the cluster are reachable, or GPFS is down on all of the
nodes. mmlsmount: Command failed. Examine previous error messages to
determine cause.

Reboot control nodes starting from the last node. Example:

for ip in $(/opt/ibm/appliance/platform/xcat/scripts/xcat/display_nodes.py --control | tr ' ' '\n' | tac); do echo $ip; ssh $ip 'shutdown -r'; done

When all nodes come up, verify that the dhcp and named services are up:
```
systemctl status dhcpd; systemctl status named
```
If not running, start these services:
```
systemctl start dhcpd; systemctl start named
```

Start and mount GPFS file services. Also verify GPFS state.

mmstartup -a

mmmount all -a

mmgetstate -aLv

systemctl start nfs-server

Run the apstart command and wait for system to come online.

Verify the state of the system by running the command:

ap state -d

[root@node0101 ~]# ap state -d
System state is 'Ready'
Application state is 'Ready'
Platform management state is 'Active'

NPS systems only: Scale up the NPS host pod.
```
oc scale statefulset.apps/ipshost --replicas=1 -n nps-1
```
Note: In the above example the NPS namespace is named nps-1. In case of multitenant deployments, the command must be run for each NPS namespace. The following command can be used to identify all NPS namespaces:
```
oc get sts --all-namespaces | grep ipshost  | awk '{print $1}'
```
Run the ap node and ap sw commands to verify the health of the system.

Check FIPS mode by running:

[root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_fips.py --check_status