Verification of FIPS enablement in IBM Cloud Private

Verify that FIPS is enabled on IBM Cloud Private.

Verify the operating system

Verify that FIPS is enabled on your operating system. Complete the following steps:

  1. View the parameters that were passed to the kernel. Run the following command:

     cat /proc/cmdline

    Your output might resemble the following content:

     BOOT_IMAGE=/vmlinuz-4.4.0-1002-fips root=/dev/mapper/ubuntu--vg-root ro elevator=noop fips=1 bootdev=UUID=87d50882-8bcc-4951-820f-e6e446b134c4

    The fips=1 parameter indicates that the kernel is booted in FIPS enabled mode.

  2. Verify that your kernel is configured for FIPS. Run the following command:

     sysctl crypto.fips_enabled

    Your output might resemble the following content:

     crypto.fips_enabled = 1

    The crypto.fips_enabled=1 indicates that the kernel is configured for FIPS.

  3. Verify that the OpenSSL package is FIPS certified. Run the following command:

     openssl version

    Your output might resemble the following content:

     OpenSSL 1.0.2k-fips  26 Jan 2017

Your operating system is in FIPS enabled mode.

Verify volume encryption

Verify that storage volumes are encrypted properly with LUKS encryption. Complete the following steps:

  1. Verify that a LUKS partition exists on each system in your cluster. Run the following command on each node:

     lsblk

    Your output might resemble the following content:

    NAME            MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT

vda             253:0    0  250G  0 disk

└─vda1          253:1    0  250G  0 part

 ├─system-swap 254:0    0    8G  0 lvm   [SWAP]

 └─system-root 254:1    0  220G  0 lvm   /var/lib/kubelet/pods/29467a76-e1e6-11e8-998b-00163e01b777/volume-subpaths/logrotate-conf/icp

vdb             253:16   0  300G  0 disk

└─CloudVG-Data  254:2    0  250G  0 lvm

 └─luks-data   254:3    0  250G  0 crypt /data

    Note: The luks-data partition is mounted on the /data directory. luks-data is encrypted.

  2. Verify that the IBM Cloud Private installation uses your encrypted file system. Run the following command:

     mount | grep luks-data

    Your output must show the directories used by IBM Cloud Private. Your system might return additional entries. You output might resemble the following content:

     /dev/mapper/luks-data on /data type ext4 (rw,relatime,data=ordered)

 /dev/mapper/luks-data on /var/lib/etcd type ext4 (rw,relatime,data=ordered)

 /dev/mapper/luks-data on /var/lib/kubelet type ext4 (rw,relatime,data=ordered)

 /dev/mapper/luks-data on /opt/ibm type ext4 (rw,relatime,data=ordered)

 /dev/mapper/luks-data on /var/lib/icp type ext4 (rw,relatime,data=ordered)

 /dev/mapper/luks-data on /var/lib/registry type ext4 (rw,relatime,data=ordered)

 /dev/mapper/luks-data on /var/lib/docker type ext4 (rw,relatime,data=ordered)

 /dev/mapper/luks-data on /etc/cfc type ext4 (rw,relatime,data=ordered)

 /dev/mapper/luks-data on /var/lib/mysql type ext4 (rw,relatime,data=ordered)

  3. Check the status of the encryption. Run the following command:

     cryptsetup status /dev/mapper/luks-data

    Your output might resemble the following text:

     /dev/mapper/luks-data is active and is in use.
 type:    LUKS1
 cipher:  aes-xts-plain64
 keysize: 256 bits
 device:  /dev/mapper/CloudVG-Data
 offset:  4096 sectors
 size:    524283904 sectors
 mode:    read/write

    Note: LUKS always uses a cypher that is FIPS 140-2 compliant. For more information see, LUKS RedHat Opens in a new tab.

Your storage volumes are encrypted with LUKS encryption.

Verifying IPsec functionality

Verify that IPsec is securing your network traffic. Complete the following steps:

  1. Verify that IPsec service is running. Check the status of the IPsec service on your operating system.

    • For Red Hat Linux®, run the following command:

       systemctl status ipsec.service

    • For Ubuntu, run the following command:

       systemctl status strongswan

      Your output might resemble the following content:

      ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec

  Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled; vendor preset: disabled)
  Active: active (running) since Mon 2018-10-29 08:25:39 PDT; 34min ago
      Docs: man:ipsec(8)
          man:pluto(8)
          man:ipsec.conf(5)
  Process: 25415 ExecStartPre=/usr/sbin/ipsec --checknflog (code=exited, status=0/SUCCESS)
  Process: 25410 ExecStartPre=/usr/sbin/ipsec --checknss (code=exited, status=0/SUCCESS)
  Process: 25131 ExecStartPre=/usr/libexec/ipsec/_stackmanager start (code=exited, status=0/SUCCESS)
  Process: 25129 ExecStartPre=/usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
  Main PID: 25426 (pluto)
    Status: "Startup completed."

      Note: If the IPsec service is not running, start the service now and make sure it is configured to start after you reboot your node.

  2. Verify that IPsec is running in FIPS mode. Check the status of IPsec running in FIPS mode for your operating system.

    • For Red Hat Linux, run the following command:

      ipsec status | grep fips

      Your output might resemble the following text if FIPS is enabled:

      000 fips mode=enabled;

    • For Ubuntu, run the following command:

      ipsec statusall | grep -i fips

      Your output might resemble the following content:

      Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-1002-fips, x86_64):
loaded plugins: charon test-vectors nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf agent gcm attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity

  3. Verify that the IPsec service is encrypting traffic.

    1. Install tcpdump Opens in a new tab to view the data on the network.

    2. View and verify that the packets on your configured interface are encrypted.

      Note: eth0 is the configured interface in this example. Be sure to use the interface that has IPsec configured for IBM Cloud Private installation configuration.

      Run the following command:

      tcpdump -i eth0 | grep ESP

      Your output might resemble the following content:

      tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 12:43:58.255908 IP wap-worker-1.fyre.ibm.com > wap-master.fyre.ibm.com: ESP(spi=0x1d59f23e,seq=0x3647), length 88
12:43:58.255995 IP wap-master.fyre.ibm.com > wap-worker-1.fyre.ibm.com: ESP(spi=0xd02dc971,seq=0x19d2), length 68
12:43:59.667642 IP wap-worker-2.fyre.ibm.com > wap-master.fyre.ibm.com: ESP(spi=0x0cedc094,seq=0x53d4), length 156
12:43:59.667823 IP wap-worker-2.fyre.ibm.com > wap-master.fyre.ibm.com: ESP(spi=0x0cedc094,seq=0x53d5), length 156
12:43:59.667862 IP wap-worker-2.fyre.ibm.com > wap-master.fyre.ibm.com: ESP(spi=0x0cedc094,seq=0x53d6), length 236
12:43:59.667969 IP wap-worker-2.fyre.ibm.com > wap-master.fyre.ibm.com: ESP(spi=0x0cedc094,seq=0x53d7), length 236
12:43:59.668594 IP wap-master.fyre.ibm.com > wap-worker-2.fyre.ibm.com: ESP(spi=0x3fd0dc47,seq=0x2358), length 88
12:43:59.668634 IP wap-master.fyre.ibm.com > wap-worker-2.fyre.ibm.com: ESP(spi=0x3fd0dc47,seq=0x2359), length 88
12:43:59.668995 IP wap-master.fyre.ibm.com > wap-worker-2.fyre.ibm.com: ESP(spi=0x3fd0dc47,seq=0x235a), length 920
12:43:59.669203 IP wap-master.fyre.ibm.com > wap-worker-2.fyre.ibm.com: ESP(spi=0x3fd0dc47,seq=0x235b), length 920

      The ESP packets are encrypted IPsec packets and indicate that the network communication is correctly encrypted with IPsec.

Verify TLS encryption

On each IBM Cloud Private component, verify that FIPS mode is enabled for TLS encryption of network traffic to external endpoints.

WebSphere Liberty Application Server (authentication manager)

Verify that the WebSphere Liberty Application Server runs with FIPS enabled. Complete the following steps:

  1. Obtain the name of the pod that is on the platform-auth-service container. Run the following command:

     kubectl get po -n kube-system | grep auth-idp

    Your output might resemble the following text:

     auth-idp-xpxjn                                     4/4       Running     10         1d

  2. To open a shell environment to the pod, run the following command:

     kubectl exec -it -n kube-system auth-idp-xpxjn -c platform-auth-service -- /bin/bash

  3. Verify that FIPS enabled in the platform-auth-service container environment. Run the following command:

     env | grep FIPS

    Your output might resemble the following content:

     FIPS_ENABLED=true

  4. Verify that the WebSphere Liberty Application Server starts in FIPS mode. Run the following command:

     ps -ef | grep java

    Your output might resemble the following content:

     10 root       9:50 /opt/ibm/java/jre/bin/java -javaagent:/opt/ibm/wlp/bin/tools/ws-javaagent.jar -Djava.awt.headless=true -Dcom.ibm.jsse2.usefipsprovider=true -jar /opt/ibm/wlp/bin/tools/ws-server.jar defaultServer

  5. Exit from the shell that you opened to the platform-auth-service container.

Image management components

Complete the following steps to verify that FIPS is enabled for the image management components:

  1. Run the following command to view the image-manager logs:

     kubectl logs -n kube-system image-manager-0 -c image-manager | grep FIPS

    Your output might resemble the following content:

     time="2018-11-01T16:22:14Z" level=info msg="handler.APIHandler.ServeCmd (serve.go:99) OpenSSL FIPS mode is set to: True\n "

  2. View the icp-registry logs. Run the following command:

     kubectl logs image-manager-0 -n kube-system -c icp-registry | grep FIPS

    Your output might resemble the following text:

     2018/11/01 19:33:43 OpenSSL FIPS mode is set to: True.

Management ingress

Verify that FIPS is enabled on the management ingress component. Complete the following steps:

  1. Obtain the name of the pod that is on the management ingress component. Run the following command:

     kubectl get po -n kube-system | grep icp-management-ingress

    Your output might resemble the following content:

     icp-management-ingress-h7rzq                                   1/1       Running                 0          53m

  2. Verify that management ingress is running in FIPS mode. Run the following command:

     kubectl logs -n kube-system icp-management-ingress-h7rzq | grep FIPS

    Your output might resemble the following content:

     2018/11/14 21:09:22 [notice] 24#24: FIPS_mode_set() successfully (SSL:)

NGINX ingress controller

Verify that FIPS is enabled on the NGINX ingress controller. Complete the following steps:

  1. Obtain the name of the pod that is on the NGINX ingress controller. Run the following command:

     kubectl get po -n kube-system | grep nginx-ingress-controller

    Your output might resemble the following content:

     nginx-ingress-controller-tg8zd                                 1/1       Running     0          58m

  2. To verify that the NGINX ingress controller is running in FIPS mode, run the following command:

     kubectl logs -n kube-system nginx-ingress-controller-tg8zd | grep FIPS

    Your output might resemble the following content:

     2018/11/14 21:07:19 [notice] 36#36: FIPS_mode_set() successfully (SSL:)

You have verified that your IBM Cloud Private cluster is FIPS enabled.