Complying with FIPS
Federal Information Processing Standards (FIPS) are standards and guidelines that are issued by the National Institute of Standards and Technology (NIST) for federal government computer systems.
The standards are developed when compelling federal government requirements for standards, such as for security and interoperability, exist, but acceptable industry standards or solutions do not exist. Government agencies and financial institutions use these standards to ensure that products conform to specified security requirements.
- IBM® Netcool® Operations Insight® complies with the security and privacy assessments, which might or might not apply to all add-on services on Netcool Operations Insight.
- Customers are responsible for ensuring their own readiness for the laws and regulations that apply to them.
- Customers are responsible for identifying and interpreting any relevant laws and regulations that might affect their users and any actions that their users might need to take to comply with these laws and regulations.
- Customers must track whether personal information is present in their data. Netcool Operations Insight is not aware of the presence of personal information in the data that it handles.
Netcool Operations Insight uses cryptographic modules that are compliant with Level 1 of the Federal Information Processing Standard FIPS-140-2. Certificates that are used internally are encrypted by using FIPS-approved cryptography algorithms. FIPS-approved modules can optionally be used for the transmission of data.
The current IBM approach to FIPS compliance
The current approach of Netcool Operations Insight to FIPS compliance is a boundary approach that is enabled by the FIPS boundaries. In this approach to FIPS compliance, all pods are FIPS tolerant. Pods can run without issues on a FIPS-enabled Red Hat OpenShift cluster with a compliant boundary that is secured at external touch points. Traffic inside the boundary is still secure because traffic between nodes is automatically encrypted at the Red Hat OpenShift container platform level by using IPsec. Meanwhile, traffic inside a node happens in memory and never leaves the node.
The overall Netcool Operations Insight product is FIPS-compliant. The internals are hidden, and anything that is exposed externally outside the boundary is FIPS-compliant. The hidden internals are secure, and any traffic that leaves the box, such as to communicate across nodes, is also transparently secured.
Ensuring Netcool Operations Insight meets FIPS compliance requirements
- Deploy the Red Hat OpenShift cluster in FIPS mode. Set
fips: true
in the install-config.yaml file before you deploy your cluster. For more information, see Support for FIPS cryptographyin the Red Hat OpenShift documentation.
- For validation, connect to the main or worker node by using oc debug node/<node
name>:
sh-4.4# cat /proc/sys/crypto/fips_enabled 1 sh-4.4# sysctl crypto.fips_enabled crypto.fips_enabled = 1
- Alternatively, look for the FIPS setting in the
cluster-config-v1 configmap oc get cm cluster-config-v1 -n kube-system
cluster and ensurefips: true
in the data section.
- For validation, connect to the main or worker node by using oc debug node/<node
name>:
- Configure Netcool Operations Insight routes by using reencrypt instead of pass-through. This method establishes the external communication between the client, such as a browser or a terminal, and the service that uses Red Hat OpenShift cryptography for TLS. If the route is a pass-through, the route's target service must use an invalidated module, or it must be possible to reconfigure the route to be a reencrypt route. The route certificate must use a FIPS-approved algorithm and key size, such as a 2048-bit RSA certificate.
- Pod-to-pod communication must always be TLS protected. FIPS is preferred but not mandatory for
internal communication. Optionally, enable IPsec and use the OVN-Kubernetes Container Network
Interface (CNI) plug-in to protect pod-to-pod communication across nodes at the network layer. IPsec
encrypts data packets by using a FIPS-validated module from the operating system. For more
information, see Configuring IPsec encryption
in the Red Hat OpenShift documentation.
- Local storage and
etcd
encryption use a Red Hat FIPS-validated module. If you use a vendor-specific storage solution, follow the vendor-provided procedure to turn on the FIPS mode.
Enable FIPS between nodes
- Switch the default CNI and Red Hat OpenShift SDN to an
OVN-Kubernetes CNI. Change the install-config.yaml file to match the following
example:
networking: clusterNetwork: - cidr: 10.128.0.0/14 hostPrefix: 23 networkType: OVNKubernetes serviceNetwork: - 172.30.0.0/16
- Create a manifest for the installation so that you can add the
cluster-network-03-config.yml file to the
manifest:
apiVersion: operator.openshift.io/v1 kind: Network metadata: name: cluster spec: defaultNetwork: ovnKubernetesConfig: ipsecConfig: {}
- Complete the installation.
- For more information about network configuration, see Network configuration phases
in the Red Hat OpenShift documentation.
FIPS mode in Netcool Operations Insight
Three components in Netcool Operations Insight can be FIPS enabled: Management Ingress, NGINX Ingress, and Identity and Access Management (IAM). The settings are independent from Red Hat OpenShift FIPS, which means that even if the cluster host operating system is not FIPS enabled, these components can still run in FIPS mode.
For more information about how to enable FIPS mode, see Configuring IBM Cloud Pak® foundational services by using the CommonService custom resource.
Setting parameters
To enable FIPS, enter the following settings in the deployment common custom resource YAML file:
spec:
helmValuesNOI:
impactgui.fips_enabled: true
nciserver.fips_enabled: true
FIPS storage requirements
If you want the storage for your Netcool Operations Insight on Red Hat OpenShift deployment to be FIPS-compliant, refer to your storage provider's documentation to ensure that your storage meets this requirement.