Reference: FIPS cipher suites
The process that is described here is applicable only to the OVA deployment model.
The Federal Information Processing Standard (FIPS) is in place to ensure the cryptographic strength of secure connections. By default, Turbonomic ships with the following TLS protocol versions and cipher suites already enabled:
-
TLSv1.2:
-
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
-
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-
-
TLSv1.3:
-
TLS_CHACHA20_POLY1305_SHA256
-
TLS_AES_256_GCM_SHA384
-
TLS_AES_128_GCM_SHA256
-
Modifying the protocols and cipher suites
To modify the cipher suites and protocols used by Turbonomic, edit or add
the nginx
section of the Xl
Custom Resource, as described
in the following example:
apiVersion: charts.helm.k8s.io/v1
kind: Xl
metadata:
name: xl-release
spec:
...
nginx:
# This variable contains a space separated list of TLS protocol versions
# to support.
# The value found here will be inserted into an 'ssl_protocols' directive
# of the nginx configuration for turbonomic
tlsProtocols: TLSv1.2 TLSv1.3
# This variable contains a colon separated list of cipher suites
# that should be supported for TLSv2.
# The value placed here will be inserted into the 'ssl_ciphers' directive
# of the nginx configuration for turbonomic
tlsv2Ciphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305
# This variable contains a colon separated list of cipher suites
# that should be supported for TLSv3.
# The value placed here will be inserted into the
# 'ssl_conf_command Ciphersuites' directive of the nginx
# configuration for turbonomic
tlsv3Ciphers: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
Modifying the protocols and cipher suite on a Turbonomic OVA
If necessary, you can modify the cipher suites to comply with your internal policies.
Open an SSH terminal session on your Turbonomic instance.
Log in with the System Administrator credentials that you set up when you installed Turbonomic:
- Username:
turbo
- Password:
[your_private_password]
- Username:
In the SSH session, open the
cr.yaml
file for editing. For example:vi /opt/turbonomic/kubernetes/operator/deploy/crds/charts_v1alpha1_xl_cr.yaml
Edit the cipher suite.
-
Search for the
nginx
section in the file or create the section if not present. -
Modify the
nginx
section (as described in the previous section of this topic) and then save the file.
-
Apply your changes to the platform.
kubectl apply -f /opt/turbonomic/kubernetes/operator/deploy/crds/charts_v1alpha1_xl_cr.yaml