Step 1: (Optional) Enable FIPS Mode

If your cluster must be FIPS-compliant, you must enable FIPS mode at the operating system level before installing data-fabric software. If FIPS compliance is not needed, you can skip this step.

This page describes how to enable FIPS mode for each of the operating systems where it is supported. For more information about FIPS, see FIPS Compliance for HPE Ezmeral Data Fabric and this page.

When you enable FIPS mode at the operating system level, the HPE Ezmeral Data Fabric platform is automatically installed in FIPS mode with FIPS-compliant BCFKS key and trust stores.

All FIPS 140-2 Level 1 Linux operating system distributions supported by the HPE Ezmeral Data Fabric have a way of enabling FIPS mode at the operating system level. However, enabling FIPS mode at the operating system level covers only the use of FIPS-compliant system libraries (OpenSSL), and not the additional packages that use cryptography that are not part of the operating system – notably JDK 11.

Note these considerations:
  • Enabling FIPS mode at the operating system level automatically causes FIPS-compliant mode to be enabled in the HPE Ezmeral Data Fabric.
  • FIPS compliance is enforced on a per-node level. It is possible for some nodes in a cluster to run in FIPS mode while others run in non-FIPS-compliant mode. Different nodes running in mixed configuration can communicate with each other as long as the cryptographic algorithms used for securing network data are FIPS-compliant. The AES-256 GCM cryptographic algorithm and TLS 1.2 and 1.3 protocols used to secure network data in previous data-fabric releases are FIPS compliant.

Determining if the Operating System is FIPS-Enabled

If you don’t know the current FIPS status for a node, you can use maprcli commands to determine whether FIPS mode is enabled at the operating system. See Determining if a Host Is in FIPS Mode.

Enabling FIPS Mode in Red Hat Enterprise Linux 8

Setting the RHEL 8 operating system to FIPS mode automatically makes the FIPS 140-2 Level 1 certified RedHat OpenSSL 1.1.1 library available with all non-FIPS approved cryptographic algorithms disabled.

You can install the RHEL 8 operating system with FIPS mode enabled by adding the fips=1 option to the kernel command line during system installation. This is the recommended way to enable FIPS mode, as opposed to enabling FIPS mode later, because this ensures the system generates all cryptographic keys with FIPS-approved algorithms.

Alternatively, you can switch an existing non-FIPS system to FIPS mode after installation. To do this, use the fips-mode-setup -enable command, and then reboot the system:
# fips-mode-setup --enable
Setting system policy to FIPS.
FIPS mode will be enabled.
Please reboot the system for the setting to take effect.
# reboot
After the reboot, check the current state of FIPS mode using the following command:
# fips-mode-setup --check
FIPS mode is enabled

Enabling FIPS Mode in Ubuntu 18.04

In Ubuntu 18.04, access to FIPS repositories is controlled by a token associated with an Ubuntu Advantage subscription. For detailed information about how to enable FIPS in Ubuntu, refer to the Ubuntu website. The following steps provide a summary:
  1. Install the Ubuntu Advantage tools:
    # sudo apt update && sudo apt install ubuntu-advantage-tools
  2. 2. If you are not using the Ubuntu PRO images, you need to obtain the UA token from your Ubuntu One account under the Your Paid Subscriptions header, save it, and then attach it to the Ubuntu system:
    # sudo ua attach <token>
  3. Enable FIPS, including security updates, and verify the status:
    # sudo ua enable fips-updates
    # sudo ua status
    To enable only validated FIPS without the security updates (not recommended), which results in updating only validated packages upon revalidation, use sudo ua enable fips instead of sudo ua enable fips-updates.
  4. Reboot the system for the changes to take effect. After rebooting, verify that FIPS is enabled:
    # cat /proc/sys/crypto/fips_enabled
    1
    

Enabling FIPS Mode in SUSE Enterprise Linux 15 SP2

For detailed information about how to enable FIPS in SLES 15 SP 2, refer to the SLES 15 SP 2 online documentation. The following steps provide a summary:
  1. Install the FIPS pattern:
    $ sudo zypper in -t pattern fips
  2. Assuming that the boot partition is not on a separate partition, edit /etc/default/grub to add fips=1 to GRUB_CMDLINE_LINUX_DEFAULT. For example:
    GRUB_CMDLINE_LINUX_DEFAULT="splash=silent mitigations=auto quiet fips=1"
  3. Save your changes, and rebuild the grub partition:
    $ sudo grub2-mkconfig -o /boot/grub2/grub.cfg
    $ sudo mkinitrd
  4. Reboot, and verify your changes:
    $ sudo sysctl -a | grep fips
    crypto.fips_enabled = 1