Services that support FIPS
FIPS (Federal Information Processing Standards) compliant encryption is validated for some services on foundational services.
To check whether a service supports FIPS:
- Check whether it runs on a FIPS-enabled cluster.
- Determine whether it is FIPS compliant:
- Does it adhere to the security levels outlined in the Federal Information Processing Standard Publication 140-2?
- Check additional information to see whether you need to run any steps beyond what are specified in the common procedure.
- Review also additional information to learn about other encryption standards that are supported on the service.
Notes:
- ✓ indicates that the service is FIPS compliant.
- Blank indicates that the service is not FIPS compliant.
- FIPS compliant "enabled":
- Data is FIPS encrypted at rest.
- Inbound communications are FIPS encrypted.
- Outbound communications on "enabled" mode allow support both FIPS and non-FIPS connections. Requires external service to mandate FIPS when negotiating encryption.
- FIPS compliant "strict":
- Data is FIPS encrypted at rest.
- Inbound communications are FIPS encrypted.
- Outbound communications support only FIPS connections, requiring external service to support FIPS.
Service | FIPS compliant "enabled" | FIPS compliant "strict" | Additional information |
---|---|---|---|
Business Teams Service | ✓ | Business Teams Service has outbound connections to internal services Zen (JWT validation), IM (SCIM and OIDC introspection), and EDB (persistence). EDB data at rest relies on FIPS storage encryption to be FIPS ready. | |
Certificate manager | ✓ | N/A | |
Events | Events operator creates a Kafka deployment and then sets up services and routes based on the Kafka listener configuration that you have set in the custom resource. Kafka listeners can be of type internal or route .
To comply with the FIPS wall, you can configure the Events operator to only ask for internal listeners. See Configuring Events operator. |
||
IM | ✓ | N/A | |
Installer | ✓ | N/A | |
License Service | ✓ | N/A | |
License Service Reporter | ✓ | N/A | |
MongoDB | ✓ | N/A | |
Integrated UI (zen) | ✓ | Platform UI is not FIPS compliant "enabled" by default but can be configured to be compliant. See Configuring Zen route. | |
Flink | ✓ | IBM Semeru JVM version 11.0.16.1 or higher is needed. | |
Elasticsearch | ✓ | N/A |
Note: All services can run on a FIPS-enabled cluster (that is, an OpenShift cluster that has FIPS mode turned on).
More information on FIPS
-
Enabling FIPS: Learn how to enable FIPS and run foundational services on a FIPS compliant system.
-
Considerations for FIPS: Federal Information Processing Standards (FIPS) are standards and guidelines issued by the National Institute of Standards and Technology (NIST) for federal government computer systems.