Enabling FIPS
To run foundational services on a Federal Information Processing Standards (FIPS) compliant system, use the following planning information steps.
Enabling FIPS on your Red Hat OpenShift cluster
Procedure
-
Enable FIPS on Red Hat OpenShift cluster.
- Set
fips: true
in theinstall-config.yaml
file.
- Set
-
Enable IPSec.
- Set
networkType: OVNKubernetes
in theinstall-config.yaml
file. - Create manifest and deploy cluster. For more information, see Configuring IPSec tunnels.
- Set
-
Enable etcd after deploying your OpenShift Container Platform cluster.
- Follow the steps in Encrypting etcd data.
-
Enable FIPS mode on all nodes.
For more information, see:
- Red Hat OpenShift Version 4.10: Support for FIPS cryptography
Restriction: FIPS is supported only on x86_64 hardware.
-
Install Red Hat OpenShift Container Platform in FIPS mode.
For more information, see:
- Red Hat OpenShift Version 4.10: Installing a cluster in FIPS mode
Configuring storage
For information on storage, see the Red Hat OpenShift documentation on Storage.
If you use an external storage provider and if your deployment's storage must be FIPS compliant, refer to your storage provider's documentation to ensure that your storage meets this requirement.
Configuring etcd encryption
To enable etcd encryption with AES-CBC, complete the following steps:
-
Modify the
APIServer
object:oc edit apiserver
-
Set the
encryption
field type toaescbc
:spec: encryption: type: aescbc
-
Save the file to apply the changes. Depending on the size of your cluster, it can take 20 minutes or longer for the encryption process to complete.
-
Verify that the etcd encryption is successful.
-
Review the
Encrypted
status condition for the OpenShift API server to verify that its resources were successfully encrypted by running the following command:oc get openshiftapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.reason}{"\n"}{.message}{"\n"}'
The output shows
EncryptionCompleted
upon successful encryption:EncryptionCompleted All resources encrypted: routes.route.openshift.io
-
For more information, see Encrypting etcd data.
Configuring IPSec tunnels
With IPsec enabled, all network traffic between nodes on the OVN-Kubernetes Container Network Interface (CNI) cluster network travels through an encrypted tunnel. You can provide additional FIPS protection for traffic across different nodes on the cluster by configuring IPSec tunnels.
IPsec is disabled by default when you install OpenShift 4.x clusters. IPsec encryption can be enabled only during cluster installation and cannot be disabled after it is enabled.
For more information about how to enable IPsec encryption, see Configuring IPsec encryption in OpenShift documentation.
Configuring services to enable FIPS
There are components that must be configured to be FIPS compliant. Some services in foundational services are not FIPS compliant by default and require manual configuration. Refer to the following sections to configure services and components to enable FIPS.
Configuring Zen route
To ensure that your instance of Zen is FIPS compliant, you can configure the Zen route to be reencrypt
instead of passthrough
. Zen route is created as a passthrough
route by default.
Case 1: Configuring Zen route with encryption at the time of creation
Complete the steps in this section if you are creating your ZenService CR for the first time and want to set the Zen route as reencrypt
.
-
Set
zenDefaultIngressReencrypt: true
in the ZenService custom resource (CR). For example:spec: csNamespace: ibm-common-services # where Bedrock is deployed iamIntegration: true storageClass: rook-cephfs # file type storage class zenCoreMetaDbStorageClass: rook-ceph-block # block type storage class zenDefaultIngressReencrypt: true
-
Once ZenService CR is created, the Zen route is set as
reencrypt
ibm-common-services cpd cpd-ibm-common-services.apps.ocp411-fips.cp.fyre.ibm.com ibm-nginx-svc ibm-nginx-https-port reencrypt/Redirect None
Case 2: Configuring an existing Zen route (that is passthrough
) to be reencrypt
Complete the steps in this section if your ZenService CR already exists as a passthrough
route and you wish to update it to reencrypt
.
-
Create route-secret,
my-tls-secret
.-
Create
ca.crt
,tls.key
, andtls.crt
. -
Create route-secret in the ZenService namespace:
Note:
$zen_namespace
refers to the location where the existing zen instance was deployed.oc create secret generic my-tls-secret -n $zen_namespace --from-file=ca.crt=./ca.crt --from-file=tls.crt=./tls.crt --from-file=tls.key=./tls.key`
-
-
Update the ZenService CR by adding the following in the
spec
section:zenCustomRoute: route_reencrypt: true # default false route_secret: my-tls-secret ## must be set, secret created in the preceding step
-
Once ZenService finishes updating, the Zen route is set to
reencrypt
:zen-tenant cpd cpd-zen-tenant.apps.ocp411-fips.cp.fyre.ibm.com ibm-nginx-svc ibm-nginx-https-port reencrypt/Redirect None
Configuring Events operator
The Events operator is a dependent product and it is up to the implementation of the product that uses the Events operator to decide whether they allow an external user to control the Kafka custom resource.
The Kafka custom resource defines Kafka listeners which Kafka client applications can connect to. There are two types of listeners, which are internal
or route
. These listeners are marked by the keyword type: internal
or type: route
in the listeners
section of the Kafka custom resource. To hide a route, make sure that you use type: internal
and the Events operator will not create an external route.
For example:
spec:
kafka:
listeners:
- name: listener1
port: 9094
type: internal
tls: true
authentication:
type: tls
Optional: Configuring IBM Cloud Pak foundational services by using the CommonService custom resource
FIPS is not enabled by default. However, many common services components will automatically be FIPS compliant when running on a FIPS-enabled cluster. The following are additional settings and configuration options to fine tune the FIPS compliance of particular components.
Note: The steps in this section are required only if you use cp-proxy end point.
-
Run the following command:
oc edit commonservice -n <your-foundational-services-namespace> common-service
-
Enable FIPS by setting the variable as
fipsEnabled: true
in the CommonService CR and initial template of OperandConfig:spec: fipsEnabled: true
See the following notes:
- You must set the variable as
fipsEnabled: true
if you are using cp-proxy end point. - For information on FIPS compliant "strict" mode, see Services that support FIPS.
apiVersion: operator.ibm.com/v3 kind: CommonService metadata: name: common-service namespace: <your-foundational-services-namespace> spec: fipsEnabled: true
- You must set the variable as
After FIPS is enabled in the CommonServices CR, it applies the fipsEnabled: true
flag to ibm-im-operator
.
More information on FIPS
-
Considerations for FIPS: Federal Information Processing Standards (FIPS) are standards and guidelines issued by the National Institute of Standards and Technology (NIST) for federal government computer systems.
-
Services that support FIPS: FIPS compliant encryption is validated for some services in foundational services. Find information about your service.