Configuring FIPS support on OpenShift
Configure support for FIPS (Federal Information Processing Standards) on the cluster where you will install IBM Cloud Pak® for Integration.
Cloud Pak for Integration supports version 140-2 of the FIPS requirements, which are implemented by using the "FIPS wall" approach. This approach is described in the following section.
About this task Install and configure a FIPS-compliant OpenShift Container Platform Install Cloud Pak for Integration
About this task
To be FIPS compliant, an organization must adhere to the various data security and computer system standards outlined in the FIPS requirements.
- What is FIPS?
Federal Information Processing Standards (FIPS) are standards and guidelines issued by the National Institute of Standards and Technology (NIST) for federal government computer systems. The standards are developed when there are compelling federal government requirements for standards, such as for security and interoperability, but acceptable industry standards or solutions do not exist. Government agencies and financial institutions use these standards to ensure that products conform to specified security requirements.
- What is a FIPS wall?
The FIPS wall is a boundary approach to FIPS compliance that is used by IBM products. All pods in the cluster are FIPS-tolerant (the pods can run without issues on a FIPS-enabled OpenShift cluster), while creating a compliant boundary that is secured at external points of contact (known as "touch points").
Traffic inside the boundary is secure because the communication between nodes is automatically encrypted at the OpenShift Container Platform level using the IPSec protocol. Traffic within any node happens in-memory, so it never leaves the node. The following diagram illustrates a typical OpenShift cluster that is configured to support the FIPS wall. In the diagram, the "wall" is represented with a heavy black border. Communications between pods within the border are secured with IPSec encryption, and communications that cross the border to external devices are secured using other means for example, TLS encryption).
- What are the cluster requirements to support a FIPS wall?
Requirements are the following:
FIPS is enabled on the cluster during installation (by setting fips: true in the
install-config.yaml
file).FIPS is enabled for node-to-node communication (using the OVN-Kubernetes Container Network Interface cluster network provider, and with IPSec enabled).
The etcd key-value store is encrypted with
aescbc
.Storage is encrypted with FIPS ciphers.
Runtimes are managed using Kubernetes CRI-O (all OCP deployments use CRI-O by default).
- What are the Red Hat OpenShift Container Platform dependencies?
Cloud Pak for Integration can be deployed with the following versions of OpenShift Container Platform (OCP):
4.12: based on Red Hat Enterprise Linux 8.6; on-going certification for FIPS 140-2 and 140-3
4.14: based on Red Hat Enterprise Linux 9.2; on-going certification for FIPS 140-2 and 140-3
For more information about OpenShift support for FIPS, see Current status on FIPS certification: Compliance Activities and Government Standards in the Red Hat Customer Portal.
Install and configure a FIPS-compliant OpenShift Container Platform
This procedure involves the following steps:
Configure settings for FIPS and IPSec.
Install the OpenShift cluster.
Configure the cluster to enable encryption and provide storage.
Configure settings in the
install-config.yaml
file. Edit the install-config.yaml and make the following changes:Set
fips: true
.Set the
networkType
toOVNKubernetes
. For example:networking: clusterNetwork: - cidr: 10.128.0.0/14 hostPrefix: 23 networkType: OVNKubernetes serviceNetwork: - 172.30.0.0/16 fips: true
For an example of the install-config.yaml file, see Sample install-config.yaml file for bare metal in the Red Hat OpenShift documentation.
Create the IPSec installation manifests to allow IPSec tunneling for node-to-node communication in the OpenShift cluster.
Generate the manifests from install-config.yaml by running the following command:
openshift-install create manifests
Create a cluster-network-03-config.yaml file with the following content, and save it in the manifests directory:
apiVersion: operator.openshift.io/v1 kind: Network metadata: name: cluster spec: defaultNetwork: type: OVNKubernetes ovnKubernetesConfig: ipsecConfig: {} mtu: 1400
Deploy the OpenShift cluster. Install the OpenShift cluster, and then install the OpenShift CLI.
Install the OpenShift cluster as explained in Chapter 2. Installing the system in FIPS mode in the OpenShift documentation.
Install the OpenShift CLI (oc) as explained in Installing the OpenShift CLI in the Red Hat OpenShift documentation.
Log in to the cluster as a user with
cluster-admin
privileges.Validate the OpenShift cluster.
Verify that FIPS is enabled on the OpenShift cluster.
Run the following command to verify the fips setting:
oc get cm cluster-config-v1 -n kube-system -o json | jq -r '.data."install-config"' | grep -i "fips"
Review the results and verify that the fips setting is set to true:
fips: true name: fips-cp4i root@fips-cp4i
Run the following command to get the names of the machine configurations:
oc get mcp
In the result, the configuration name populates in the CONFIG column; for example:
NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE master rendered-master-41831cf684b6e570518728abd24b9006 True False False 3 3 3 0 15h worker rendered-worker-2a4937983238e94a74307abc3eed2080 True False False 7 7 7 0 15h
For each configuration listed in the result, run the following command to verify that
Fips
is set totrue
:oc describe mc <CONFIG> | grep Fips
The previous example returned two configurations, so run the command on each configuration:
oc describe mc rendered-master-41831cf684b6e570518728abd24b9006 | grep Fips
Fips: true ```
- ``` oc describe mc rendered-worker-2a4937983238e94a74307abc3eed2080 | grep Fips Fips: true ```
Verify that IPSec is enabled on the OpenShift cluster.
Check the ovn-ipsec daemonset that manages the daemons responsible for configuring IPSec:
oc get ds -n openshift-ovn-kubernetes ovn-ipsec
A successful result looks like the following example:
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE ovn-ipsec 66666 beta.kubernetes.io/os=linux 3d3h
Verify that IPSec pods are running in all of the nodes in your OpenShift cluster:
oc get pod -n openshift-ovn-kubernetes -o wide | grep ipsec
A successful result is similar to the following:
ovn-ipsec-4qp86 1/1 Running 0 38m 192.168.7.23 master2.ocp4.rober.lab <none> <none> ovn-ipsec-pk7vh 1/1 Running 0 38m 192.168.7.21 master0.ocp4.rober.lab <none> <none> ovn-ipsec-q4mwj 1/1 Running 0 22m 192.168.7.11 worker0.ocp4.rober.lab <none> <none> ovn-ipsec-trz5m 1/1 Running 0 22m 192.168.7.12 worker1.ocp4.rober.lab <none> <none> ovn-ipsec-vjmw8 1/1 Running 0 38m 192.168.7.22 master1.ocp4.rober.lab <none> <none>
Enable
etcd
encryption withaescbc
as explained in Encrypting etcd data in the Red Hat OpenShift documentation.For local storage, choose either RHEL-provided disk encryption or Container Native Storage that uses RHEL-provided disk encryption. By storing all data in volumes that use RHEL-provided disk encryption and enabling FIPS mode for your cluster, both data at rest and data in motion (network data) are protected by FIPS-validated or Modules In Process encryption. You can configure your cluster to encrypt the root filesystem of each node, as described in Customizing nodes in the Red Hat OpenShift documentation.
Now you can install Cloud Pak for Integration on the cluster. Ensure that all inbound server connections and outbound server connections (such as OIDC and LDAP providers) support FIPS.