Enabling FIPS support

Enable Federal Information Processing Standards (FIPS) and run IBM® Netcool® Operations Insight® on a FIPS-compliant system.

About this task

To enable FIPS support, complete the necessary tasks before you install Netcool Operations Insight.

Note: You can enable FIPS support only when you are installing. You cannot upgrade a non-FIPS enabled environment to a FIPS-enabled environment.

Procedure

Enable FIPS support for your Red Hat® OpenShift® container platform cluster before you install Netcool Operations Insight. When you install Netcool Operations Insight, the installation process automatically detects whether FIPS support is enabled on your Red Hat OpenShift container platform cluster. If FIPS is enabled on the Red Hat OpenShift container platform, FIPS support is automatically enabled for Netcool Operations Insight.

To enable FIPS for Netcool Operations Insight, first enable FIPS support on your Red Hat OpenShift container platform cluster by completing the following tasks as part of installing the Red Hat OpenShift container platform:

  1. Enable FIPS mode on all of your nodes. For more information, see Support for FIPS cryptography external link.
  2. Install the Red Hat OpenShift container platform in FIPS mode. For more information, see Installing a cluster in FIPS mode external link in the Red Hat OpenShift documentation.
    Note: FIPS is supported only on x86_64 hardware.
  3. Configure TLS protection for pod-to-pod communication. Pod-to-pod communication must always be TLS protected. Although IPsec tunnels are recommended for communication across nodes in your cluster, if you require a different method to secure your nodes, you can use your preferred method.

    With IPsec enabled, all network traffic between nodes on the OVN-Kubernetes Container Network Interface (CNI) cluster network travels through an encrypted tunnel.

    IPsec is disabled by default when you install Red Hat OpenShift 4.x clusters. IPsec encryption can be enabled only during cluster installation and cannot be disabled after it is enabled.

    Complete the following steps to configure your Red Hat OpenShift cluster with IPsec enabled.

    1. Create the install-config.yaml file. Change to the directory that contains the installation program and run the following command:
      ./openshift-install create install-config --dir <installation_directory>

      For the <installation_directory> variable, specify the directory name that stores the files that the installation program creates.

    2. At the prompts, provide the configuration details for your cloud:
      • Select an SSH key to use to access your cluster computers.
      • Select AWS as the platform to target.
      • If you do not have an Amazon Web Services (AWS) profile that is stored on your computer, enter the AWS access key ID and secret access key for the user that you configured to run the installation program.
      • Select the AWS region to deploy the cluster to.
      • Select the base domain for the Route 53 service that you configured for your cluster.
      • Enter a descriptive name for your cluster.
      • Paste the pull secret from the Red Hat OpenShift Cluster Manager external link.
    3. Modify the install-config.yaml file. For more information about the available parameters in the Red Hat OpenShift container platform, see Creating the installation configuration file external link.
    4. Back up the install-config.yaml file so that you can use it to install multiple clusters. For more information about the installation configuration file, see Creating the installation configuration file external link in the Red Hat OpenShift documentation.
    5. After you create your install-config.yaml file, switch the default CNI, the Red Hat OpenShift SDN, to an OVN-Kubernetes CNI by updating the install-config.yaml file:
      apiVersion: v1
      baseDomain: rober.lab
      compute:
      - hyperthreading: Enabled
        name: worker
        replicas: 0
      controlPlane:
        hyperthreading: Enabled
        name: master
        replicas: 3
      metadata:
        name: ocp4
      networking:
        clusterNetworks:
        - cidr: 10.254.0.0/16
          hostPrefix: 24
        networkType: OVNKubernetes
        serviceNetwork:
        - 172.30.0.0/16
      platform:
        none: {}
      pullSecret: '$(< ~/.openshift/pull-secret)'
      sshKey: '$(< ~/.ssh/id_rsa.pub)'
    6. Generate the manifests from the install-config.yaml file by running the following command:
      openshift-install create manifests
    7. Create a cluster-network-03-config.yaml file and copy it to the manifests directory:
      apiVersion: operator.openshift.io/v1
      kind: Network
      metadata:
        name: cluster
      spec:
        defaultNetwork:
          type: OVNKubernetes
          ovnKubernetesConfig:
            ipsecConfig: {}
            mtu: 1400
    8. Deploy your cluster:
      openshift-install create cluster --dir <installation_directory>
    9. After your Red Hat OpenShift installation is finished, verify that IPsec is successfully enabled.
      To check the ovn-ipsec daemon set that manages the daemons that are responsible for configuring IPsec, run the oc get ds -n openshift-ovn-kubernetes ovn-ipsec command:
      # oc get ds -n openshift-ovn-kubernetes ovn-ipsec
      NAME        DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR                 AGE
      ovn-ipsec   6         6         6       6            6           beta.kubernetes.io/os=linux   3d3h

      By running the oc get pod -n openshift-ovn-kubernetes -o wide | grep ipsec command, you can verify that IPsec pods are running in all the nodes of your Red Hat OpenShift cluster:

      # oc get pod -n openshift-ovn-kubernetes -o wide | grep ipsec
      ovn-ipsec-4qp86        1/1     Running   0          38m   192.168.7.23   master2.ocp4.rober.lab   <none>           <none>
      ovn-ipsec-pk7vh        1/1     Running   0          38m   192.168.7.21   master0.ocp4.rober.lab   <none>           <none>
      ovn-ipsec-q4mwj        1/1     Running   0          22m   192.168.7.11   worker0.ocp4.rober.lab   <none>           <none>
      ovn-ipsec-trz5m        1/1     Running   0          22m   192.168.7.12   worker1.ocp4.rober.lab   <none>           <none>
      ovn-ipsec-vjmw8        1/1     Running   0          38m   192.168.7.22   master1.ocp4.rober.lab   <none>           <none>

      For more information, see Specifying advanced network configuration external link.

  4. If your deployment's storage must be compliant with FIPS, enable any necessary FIPS settings and support for your chosen storage. Refer to your storage provider's documentation to ensure that your storage meets this requirement.

    Red Hat OpenShift Data Foundation uses FIPS 140-2 certified cryptographic modules. For more information, see Cluster-wide encryption external link.

    Portworx uses FIPS 140-2 certified cryptographic modules. Portworx can encrypt each of the persistent volumes individually, or it can encrypt the whole storage cluster. For more information, see Create encrypted PVCsexternal link.

  5. After you enable FIPS support, install Netcool Operations Insight. For more information, see Installing Netcool Operations Insight.