Enabling FIPS modes on IAS
The configure_fips.py script manages the FIPS settings on IAS.
- It is located on every node at /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_fips.py.
- You can run it from any node.
- The script applies the changes on all the nodes.
- After you disable/enable FIPS, you must restart all of the nodes for the changes to be effective.
- The log file is located in /var/log/appliance/platform/xcat/configure_fips.log.tracelog.
The configure_fips.py script
[root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_fips.py --h
usage: configure_fips.py [-h] [--enable] [--disable]
This script will manage fips settings
optional arguments:
-h, --help show this help message and exit
--enable
--disable
[root@e1n1 ~]#
- -h | --help
- Displays this help message and exits.
- --enable
- Enables FIPS on every node. You can verify the outcome of the command by running the
sysctl crypto.fips_enabled command from a node. For
example:
[root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_fips.py --enable [root@e1n1 ~]# // reboot all the nodes [root@e1n1 ~]# sysctl crypto.fips_enabled crypto.fips_enabled = 1 [root@e1n1 ~]#
- --disable
- Disables FIPS on every node. You can verify the command by running the sysctl
crypto.fips_enabled command from a node. For
example:
[root@e1n1 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_fips.py –disable [root@e1n1 ~]# // reboot all the nodes [root@e1n1 ~]# sysctl crypto.fips_enabled crypto.fips_enabled = 0 [root@e1n1 ~]#
Procedure
- Log in as the
root
user. - Run the following commands
- To enable
FIPS:
[root@node0101 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_fips.py --enable
- To disable
FIPS:
[root@node0101 ~]# /opt/ibm/appliance/platform/xcat/scripts/xcat/configure_fips.py --disable
- To enable
FIPS:
- If you are on 1.0.24.0, enable or disable FIPS at the GPFS level.
- Enable FIPS at the GPFS level:
mmchconfig FIPS1402mode=yes
- Disable FIPS at the GPFS level:
mmchconfig FIPS1402mode=no
- Enable FIPS at the GPFS level:
- If you are on 1.0.24.0, generate FIPS compliant authentication keys for GPFS.
Follow the steps that are described in Updating a GPFS cluster to nistCompliance SP800-131A.
- Restart all of the nodes. Run appliance shutdown and startup steps.Note: For a multiple rack system, you must run the commands from the head node of each rack.
- Verify that the system is active and ready. From
node0101
, run:
Example:ap state -d
[root@gt14-node1 ~]# ap state -d System state is 'Ready' Application state is 'Ready' Platform management state is 'Active'
- Stop the system and services. From
node0101
, run:apstop
apstop --service
- Shut down the GPFS file system from the first control node (for example,
node0101)
):- If you are on 1.0.30.0 or later version, run the following
commands:
mmumount all -a
mmshutdown -a
- For all other versions, run the following
commands:
systemctl stop nfs
mmumount all -a
mmshutdown -a
- If you are on 1.0.30.0 or later version, run the following
commands:
- Verify that the GPFS file systems are
unmounted:
Example:mmlsmount all -L
[root@node0101 ~]# mmlsmount all -L mmcommon: mmremote command cannot be executed. Either none of the nodes in the cluster are reachable, or GPFS is down on all of the nodes. mmlsmount: Command failed. Examine previous error messages to determine cause.
- Shut down the docker.Note: If you are on 1.0.30.0 or later version, use podman instead of docker.
If you are on 1.0.25.0, skip this step.
for node in $(/opt/ibm/appliance/platform/xcat/scripts/xcat/display_nodes.py); do ssh $node "service docker stop";done
- Restart all nodes, starting from the last
node:
This command is for a 1-rack system.for ip in node0{1..1}0{7..1}; do echo $ip; ssh $ip 'shutdown -r'; done
- Start docker.Note: If you are on 1.0.30.0 or later version, use podman instead of docker.
If you are on 1.0.25.0, skip this step.
for node in $(/opt/ibm/appliance/platform/xcat/scripts/xcat/display_nodes.py); do ssh $node "service docker start";done
- Start and mount the GPFS file services and verify the GPFS
state:
mmstartup -a
mmmount all -a
mmgetstate -aLv
Note: For a multiple rack system, you must run the commands from the head node of each rack. - Run the apstart command and wait for the system to come
online:
apstart
- Verify that the system state is
Ready
andActive
.
Example:ap state -d
[root@node0101 ~]# ap state -d System state is 'Ready' Application state is 'Ready' Platform management state is 'Active'
- Run the ap node and ap sw commands to see whether the
appliance is working correctly.
ap node
ap sw
- Verify that the system is active and ready. From