Enabling IBM Match 360 for FIPS compliance
Additional cluster configuration is required to enable IBM® Match 360 to be installed and used on a Federal Information Processing Standards (FIPS) 140-2 compliant Red Hat® OpenShift® cluster.
Required role: To complete this task, you must be a cluster administrator.
To enable IBM Match 360 to be FIPS 140-2 compliant:
- Enable FIPS mode on the cluster. For details, see Enabling FIPS on your Red Hat OpenShift cluster.
- Install Cloud Pak for Data. For details, see Installing the IBM Cloud Pak for Data platform and services.
- Configure the APISever custom resource (CR) to use a specific custom TLS security profile for
the control plane. Run the following command:
oc patch APIServer cluster --type='json' --patch '[{"op":"add","path":"/spec/tlsSecurityProfile","value":{"custom": { "ciphers" : [ "TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256", "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-CHACHA20-POLY1305", "DHE-RSA-AES128-GCM-SHA256", "DHE-RSA-AES256-GCM-SHA384", "ECDHE-RSA-AES128-SHA256", "ECDHE-RSA-AES128-SHA", "ECDHE-RSA-AES256-SHA" ] }, "type": "Custom"}}]' -n ibm-common-services
After running this command, it can take 15–30 minutes for the new TLS security profile to take effect.