Enable Federal Information Processing Standards (FIPS) and run IBM®
Netcool® Operations Insight® on a
FIPS-compliant system.
About this task
To enable FIPS support, complete the necessary tasks before you install Netcool Operations Insight.
Note: You can enable FIPS support only when you are installing. You cannot upgrade a non-FIPS
enabled environment to a FIPS-enabled environment.
Procedure
Enable FIPS support for your Red Hat® OpenShift®
container platform cluster
before you install Netcool Operations Insight. When you
install Netcool Operations Insight, the
installation process automatically detects whether FIPS support is enabled on your Red Hat OpenShift
container platform cluster.
If FIPS is enabled on the Red Hat OpenShift
container platform, FIPS
support is automatically enabled for Netcool Operations Insight.
To enable FIPS for Netcool Operations Insight, first
enable FIPS support on your Red Hat OpenShift
container platform cluster
by completing the following tasks as part of installing the Red Hat OpenShift
container platform:
- Enable FIPS mode on all of your nodes. For more information, see Support for FIPS cryptography
.
- Install the Red Hat OpenShift
container platform in FIPS
mode. For more information, see Installing a cluster in FIPS mode
in the Red Hat OpenShift
documentation.
Note: FIPS is supported only on x86_64 hardware.
- Configure TLS protection for pod-to-pod communication. Pod-to-pod communication must
always be TLS protected. Although IPsec tunnels are recommended for communication across nodes in
your cluster, if you require a different method to secure your nodes, you can use your preferred
method.
With IPsec enabled, all network traffic between nodes on the OVN-Kubernetes Container Network
Interface (CNI) cluster network travels through an encrypted tunnel.
IPsec is disabled by default when you install Red Hat OpenShift 4.x clusters. IPsec
encryption can be enabled only during cluster installation and cannot be disabled after it is
enabled.
Complete the following steps to configure your Red Hat OpenShift cluster with IPsec
enabled.
- Create the install-config.yaml file. Change to the directory that contains
the installation program and run the following
command:
./openshift-install create install-config --dir <installation_directory>
For
the <installation_directory>
variable, specify the directory
name that stores the files that the installation program creates.
- At the prompts, provide the configuration details for your cloud:
- Select an SSH key to use to access your cluster computers.
- Select AWS as the platform to target.
- If you do not have an Amazon Web Services (AWS) profile that is stored on your computer, enter
the AWS access key ID and secret access key for the user that you configured to run the installation
program.
- Select the AWS region to deploy the cluster to.
- Select the base domain for the Route 53 service that you configured for your cluster.
- Enter a descriptive name for your cluster.
- Paste the pull secret from the Red Hat OpenShift Cluster
Manager
.
- Modify the install-config.yaml file. For more information about the
available parameters in the Red Hat OpenShift
container platform, see
Creating the installation configuration file
.
- Back up the install-config.yaml file so that you can use it to install
multiple clusters. For more information about the installation configuration file, see Creating the installation configuration file
in the Red Hat OpenShift documentation.
- After you create your install-config.yaml file, switch the default CNI, the
Red Hat OpenShift SDN, to an
OVN-Kubernetes CNI by updating the install-config.yaml
file:
apiVersion: v1
baseDomain: rober.lab
compute:
- hyperthreading: Enabled
name: worker
replicas: 0
controlPlane:
hyperthreading: Enabled
name: master
replicas: 3
metadata:
name: ocp4
networking:
clusterNetworks:
- cidr: 10.254.0.0/16
hostPrefix: 24
networkType: OVNKubernetes
serviceNetwork:
- 172.30.0.0/16
platform:
none: {}
pullSecret: '$(< ~/.openshift/pull-secret)'
sshKey: '$(< ~/.ssh/id_rsa.pub)'
- Generate the manifests from the install-config.yaml file by running the
following command:
openshift-install create manifests
- Create a cluster-network-03-config.yaml file and copy it to the
manifests directory:
apiVersion: operator.openshift.io/v1
kind: Network
metadata:
name: cluster
spec:
defaultNetwork:
type: OVNKubernetes
ovnKubernetesConfig:
ipsecConfig: {}
mtu: 1400
- Deploy your
cluster:
openshift-install create cluster --dir <installation_directory>
- After your Red Hat OpenShift installation is finished, verify that IPsec is successfully enabled.
To check the
ovn-ipsec
daemon set that manages the daemons that are responsible for configuring
IPsec, run the
oc get ds -n openshift-ovn-kubernetes ovn-ipsec
command:
# oc get ds -n openshift-ovn-kubernetes ovn-ipsec
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
ovn-ipsec 6 6 6 6 6 beta.kubernetes.io/os=linux 3d3h
By
running the oc get pod -n openshift-ovn-kubernetes -o wide | grep ipsec command,
you can verify that IPsec pods are running in all the nodes of your Red Hat OpenShift
cluster:
# oc get pod -n openshift-ovn-kubernetes -o wide | grep ipsec
ovn-ipsec-4qp86 1/1 Running 0 38m 192.168.7.23 master2.ocp4.rober.lab <none> <none>
ovn-ipsec-pk7vh 1/1 Running 0 38m 192.168.7.21 master0.ocp4.rober.lab <none> <none>
ovn-ipsec-q4mwj 1/1 Running 0 22m 192.168.7.11 worker0.ocp4.rober.lab <none> <none>
ovn-ipsec-trz5m 1/1 Running 0 22m 192.168.7.12 worker1.ocp4.rober.lab <none> <none>
ovn-ipsec-vjmw8 1/1 Running 0 38m 192.168.7.22 master1.ocp4.rober.lab <none> <none>
For
more information, see Specifying advanced network configuration
.
- If your deployment's storage must be compliant with FIPS, enable any necessary FIPS
settings and support for your chosen storage. Refer to your storage provider's documentation to
ensure that your storage meets this requirement.
Red Hat OpenShift Data
Foundation uses FIPS 140-2 certified cryptographic modules. For more information, see Cluster-wide encryption
.
Portworx uses FIPS 140-2 certified cryptographic modules. Portworx can encrypt each of the
persistent volumes individually, or it can encrypt the whole storage cluster. For more information,
see Create encrypted PVCs
.
- After you enable FIPS support, install Netcool Operations Insight. For more
information, see Installing Netcool Operations Insight.