Reference: FIPS cipher suites

Note:

The process that is described here is applicable only to the OVA deployment model.

The Federal Information Processing Standard (FIPS) is in place to ensure the cryptographic strength of secure connections. By default, Turbonomic ships with the following TLS protocol versions and cipher suites already enabled:

  • TLSv1.2:

    • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLSv1.3:

    • TLS_CHACHA20_POLY1305_SHA256

    • TLS_AES_256_GCM_SHA384

    • TLS_AES_128_GCM_SHA256

Modifying the protocols and cipher suites

To modify the cipher suites and protocols used by Turbonomic, edit or add the nginx section of the Xl Custom Resource, as described in the following example:

apiVersion: charts.helm.k8s.io/v1
kind: Xl
metadata:
  name: xl-release
spec:
...
  nginx:
    # This variable contains a space separated list of TLS protocol versions
    # to support.
    # The value found here will be inserted into an 'ssl_protocols' directive
    # of the nginx configuration for turbonomic
    tlsProtocols: TLSv1.2 TLSv1.3

    # This variable contains a colon separated list of cipher suites
    # that should be supported for TLSv2.
    # The value placed here will be inserted into the 'ssl_ciphers' directive
    # of the nginx configuration for turbonomic
    tlsv2Ciphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305

    # This variable contains a colon separated list of cipher suites
    # that should be supported for TLSv3.
    # The value placed here will be inserted into the
    # 'ssl_conf_command Ciphersuites' directive of the nginx
    # configuration for turbonomic
    tlsv3Ciphers: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

Modifying the protocols and cipher suite on a Turbonomic OVA

If necessary, you can modify the cipher suites to comply with your internal policies.

  1. Open an SSH terminal session on your Turbonomic instance.

    Log in with the System Administrator credentials that you set up when you installed Turbonomic:

    • Username: turbo
    • Password: [your_private_password]
  2. In the SSH session, open the cr.yaml file for editing. For example:

    vi /opt/turbonomic/kubernetes/operator/deploy/crds/charts_v1alpha1_xl_cr.yaml
  3. Edit the cipher suite.

    1. Search for the nginx section in the file or create the section if not present.

    2. Modify the nginx section (as described in the previous section of this topic) and then save the file.

  4. Apply your changes to the platform.

    kubectl apply -f /opt/turbonomic/kubernetes/operator/deploy/crds/charts_v1alpha1_xl_cr.yaml