Complying with FIPS requirements
The United States and Canadian governments published the Federal Information Processing Standard (FIPS) Publication 140-2, which specifies the security specifications for cryptographic modules that safeguard private data.
Federal clients must use software products that are FIPS-compliant. Section 5131 of the Information Technology Management Reform Act of 1996 requires FIPS 140-2 validation for every product that is sold to government agencies in the United States.
You can install Instana on Self-Hosted Custom Edition (Kubernetes or Red Hat OpenShift Container Platform) clusters. Instana uses six third-party data stores and their operators to process and store various types of data. Most of the data stores and their operators do not have the encryption modules that are required to comply with FIPS standards. Therefore, Instana provides the required cryptographic modules to the data stores and operators to make them FIPS-compliant. Also, you can use new Docker images that are built with the required modifications.
- Prerequisites
- Installing Red Hat OpenShift Container Platform in FIPS mode
- Verification
- FIPS-compliant images of third-party data stores and operators
- Installing Instana
Prerequisites
Before you install Instana, make sure that you have a FIPS-enabled cluster.
Install the following components in the cluster:
Installing Red Hat OpenShift Container Platform in FIPS mode
You can configure OpenShift Container Platform clusters to operate in FIPS mode. For more information, see Support for FIPS cryptography .
Verification
To verify if your cluster is configured with FIPS mode, complete the following steps:
-
Log in to the cluster as a user.
You must have cluster administrator privileges.
-
To verify whether FIPS is enabled, run the following command:
kubectl get cm cluster-config-v1 -n kube-system -o json | jq -r '.data."install-config"' | grep -i "fips"
-
In the command output, to verify that the
fips:
setting is set totrue
, run the following command:fips: true name: instanta-fips-test-01 root@instanta-fips-test-01
-
To obtain the names of the machine configurations, run the following command:
kubectl get mcp
-
In the command output, the configuration name is in the
CONFIG
column. For example, see the following output:NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE master rendered-master-9315fe98ae7415bae951bd94e210ea13 True False False 3 3 3 0 75d worker rendered-worker-9c1c2865c14e5edf0c5c6c285678abb7 True False False 5 5 5 0 75d
-
-
For each configuration, to verify that
Fips:
is set totrue
, run the following command:kubectl describe mc <CONFIG> | grep Fips
a. The previous example returns two configurations. Therefore, you must run the command on each configuration. For example, see the following command:
kubectl describe rendered-master-9315fe98ae7415bae951bd94e210ea13 | grep Fips
b. The command output must have
Fips: true
. For example, see the following output:Fips: true
FIPS-compliant images of third-party data stores and operators
For a complete list of FIPS-compliant images of third-party operators and data stores, see Mirroring operator images in the image registry (bastion host).
Installing Instana
After you verify the FIPS configuration on your cluster, you can install Instana. For more information, see Using third-party Kubernetes Operators.