Services that support FIPS

FIPS (Federal Information Processing Standards) compliant encryption is validated for some services on foundational services.

To check whether a service supports FIPS:

  1. Check whether it runs on a FIPS-enabled cluster.
  2. Determine whether it is FIPS compliant:
    • Does it adhere to the security levels outlined in the Federal Information Processing Standard Publication 140-3?
  3. Check additional information to see whether you need to run any steps beyond what are specified in the common procedure.
  4. Review also additional information to learn about other encryption standards that are supported on the service.

Notes:

Table 1. FIPS compliance status of services
Service FIPS compliant "enabled" FIPS compliant "strict" Additional information
Business Teams Service Business Teams Service has outbound connections to internal services Zen (JWT validation), IM (SCIM and OIDC introspection), and EDB (persistence). EDB data at rest relies on FIPS storage encryption to be FIPS ready.
Certificate manager N/A
Events Events operator creates a Kafka deployment and then sets up services and routes based on the Kafka listener configuration that you have set in the custom resource. Kafka listeners can be of type internal or route. To comply with the FIPS wall, you can configure the Events operator to only ask for internal listeners. See Configuring Events operator.
IM N/A
Installer N/A
License Service N/A
License Service Reporter N/A
MongoDB N/A
Integrated UI (zen) Platform UI is not FIPS compliant "enabled" by default but can be configured to be compliant. See Configuring Zen route.
Flink IBM Semeru JVM version 11.0.16.1 or higher is needed.
Elasticsearch N/A

Note: All services can run on a FIPS-enabled cluster (that is, an OpenShift cluster that has FIPS mode turned on).

More information on FIPS