Enabling FIPS

To run foundational services on a Federal Information Processing Standards (FIPS) compliant system, use the following planning information steps.

Enabling FIPS on your Red Hat OpenShift cluster

Procedure

  1. Enable FIPS on Red Hat OpenShift cluster.

    1. Set fips: true in the install-config.yaml file.
  2. Enable IPSec.

    1. Set networkType: OVNKubernetes in the install-config.yaml file.
    2. Create manifest and deploy cluster. For more information, see Configuring IPSec tunnels.
  3. Enable etcd after deploying your OpenShift Container Platform cluster.

    1. Follow the steps in Encrypting etcd data.
  4. Enable FIPS mode on all nodes.

    For more information, see:

    Restriction: FIPS is supported only on x86_64 hardware.

  5. Install Red Hat OpenShift Container Platform in FIPS mode.

    For more information, see:

Configuring storage

For information on storage, see the Red Hat OpenShift documentation on Storage.

If you use an external storage provider and if your deployment's storage must be FIPS compliant, refer to your storage provider's documentation to ensure that your storage meets this requirement.

Configuring etcd encryption

To enable etcd encryption with AES-CBC, complete the following steps:

  1. Modify the APIServer object:

    oc edit apiserver
    
  2. Set the encryption field type to aescbc:

    spec:
      encryption:
        type: aescbc
    
  3. Save the file to apply the changes. Depending on the size of your cluster, it can take 20 minutes or longer for the encryption process to complete.

  4. Verify that the etcd encryption is successful.

    1. Review the Encrypted status condition for the OpenShift API server to verify that its resources were successfully encrypted by running the following command:

      oc get openshiftapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.reason}{"\n"}{.message}{"\n"}'
      

    The output shows EncryptionCompleted upon successful encryption:

       EncryptionCompleted
       All resources encrypted: routes.route.openshift.io
    

For more information, see Encrypting etcd data.

Configuring IPSec tunnels

With IPsec enabled, all network traffic between nodes on the OVN-Kubernetes Container Network Interface (CNI) cluster network travels through an encrypted tunnel. You can provide additional FIPS protection for traffic across different nodes on the cluster by configuring IPSec tunnels.

IPsec is disabled by default when you install OpenShift 4.x clusters. IPsec encryption can be enabled only during cluster installation and cannot be disabled after it is enabled.

For more information about how to enable IPsec encryption, see Configuring IPsec encryption in OpenShift documentation.

Configuring services to enable FIPS

There are components that must be configured to be FIPS compliant. Some services in foundational services are not FIPS compliant by default and require manual configuration. Refer to the following sections to configure services and components to enable FIPS.

Configuring Zen route

To ensure that your instance of Zen is FIPS compliant, you can configure the Zen route to be reencrypt instead of passthrough. Zen route is created as a passthrough route by default.

Case 1: Configuring Zen route with encryption at the time of creation

Complete the steps in this section if you are creating your ZenService CR for the first time and want to set the Zen route as reencrypt.

  1. Set zenDefaultIngressReencrypt: true in the ZenService custom resource (CR). For example:

    spec:
      csNamespace: ibm-common-services   # where Bedrock is deployed
      iamIntegration: true
      storageClass: rook-cephfs          # file type storage class
      zenCoreMetaDbStorageClass: rook-ceph-block   # block type storage class
      zenDefaultIngressReencrypt: true
    
  2. Once ZenService CR is created, the Zen route is set as reencrypt

    ibm-common-services        cpd                              cpd-ibm-common-services.apps.ocp411-fips.cp.fyre.ibm.com                                          ibm-nginx-svc                    ibm-nginx-https-port   reencrypt/Redirect     None
    

Case 2: Configuring an existing Zen route (that is passthrough) to be reencrypt

Complete the steps in this section if your ZenService CR already exists as a passthrough route and you wish to update it to reencrypt.

  1. Create route-secret, my-tls-secret.

    1. Create ca.crt, tls.key, and tls.crt.

    2. Create route-secret in the ZenService namespace:

      Note: $zen_namespace refers to the location where the existing zen instance was deployed.

      oc create secret generic my-tls-secret -n $zen_namespace --from-file=ca.crt=./ca.crt --from-file=tls.crt=./tls.crt --from-file=tls.key=./tls.key`
      
  2. Update the ZenService CR by adding the following in the spec section:

    zenCustomRoute:
       route_reencrypt: true  # default false
       route_secret: my-tls-secret  ## must be set, secret created in the preceding step
    
  3. Once ZenService finishes updating, the Zen route is set to reencrypt:

    zen-tenant                 cpd                              cpd-zen-tenant.apps.ocp411-fips.cp.fyre.ibm.com                                                   ibm-nginx-svc                    ibm-nginx-https-port   reencrypt/Redirect     None
    

Configuring Events operator

The Events operator is a dependent product and it is up to the implementation of the product that uses the Events operator to decide whether they allow an external user to control the Kafka custom resource.

The Kafka custom resource defines Kafka listeners which Kafka client applications can connect to. There are two types of listeners, which are internal or route. These listeners are marked by the keyword type: internal or type: route in the listeners section of the Kafka custom resource. To hide a route, make sure that you use type: internal and the Events operator will not create an external route.

For example:

spec:
  kafka:
    listeners:
      - name: listener1
        port: 9094
        type: internal
        tls: true
        authentication:
          type: tls

Optional: Configuring IBM Cloud Pak foundational services by using the CommonService custom resource

FIPS is not enabled by default. However, many common services components will automatically be FIPS compliant when running on a FIPS-enabled cluster. The following are additional settings and configuration options to fine tune the FIPS compliance of particular components.

Note: The steps in this section are required only if you use cp-proxy end point.

  1. Run the following command:

    oc edit commonservice -n <your-foundational-services-namespace> common-service
    
  2. Enable FIPS by setting the variable as fipsEnabled: true in the CommonService CR and initial template of OperandConfig:

    spec:
     fipsEnabled: true
    

    Notes:

    • You must set the variable as fipsEnabled: true if you are using cp-proxy end point.
    • For information on FIPS compliant "strict" mode, see Services that support FIPS.
    apiVersion: operator.ibm.com/v3
    kind: CommonService
    metadata:
      name: common-service
      namespace: <your-foundational-services-namespace>
    spec:
      fipsEnabled: true
    

After FIPS is enabled in the CommonServices CR, it applies the fipsEnabled: true flag to ibm-im-operator.

More information on FIPS