FIPS Compliance for HPE Ezmeral Data Fabric

Describes how the HPE Ezmeral Data Fabric complies with Federal Information Processing Standard (FIPS) 140-2 Level 1.

Release 7.0.0 and later releases of the HPE Ezmeral Data Fabric provide FIPS compliance with some restrictions.

Considerations for FIPS Support

Note the following important considerations for FIPS support in Release 7.0.0:
  • Release 7.0.0 supports FIPS for new installations only.
  • Release 7.0.0 supports FIPS only on Red Hat Enterprise Linux (RHEL). For the supported RHEL versions, see the Operating System Support Matrix.
  • Upgrades are not supported. You cannot upgrade from a non-FIPS cluster to a FIPS-compliant cluster in release 7.0.0.
  • Some, but not all, EEP components support FIPS. For more information, see What's New in EEP 8.1.0.
  • For manual installations, FIPS mode implies secure mode as well. Thus, on a FIPS-enabled node, -secure is the default, whereas in a regular, non-FIPS-enabled node, -unsecure is the default.
  • The HPE Ezmeral Data Fabric Object Store is not FIPS compliant.
  • Only the operating systems listed on this page are FIPS compliant for the HPE Ezmeral Data Fabric. Other operating systems either are undergoing testing or will never be FIPS compliant. CentOS 8.x and the newer CentOS Stream, for example, are not FIPS compliant with the HPE Ezmeral Data Fabric. CentOS 8 users who need to run data-fabric software in a FIPS-validated configuration should migrate to RHEL 8.x.

About FIPS and 140-2 Level 1

The Federal Information Processing Standard (FIPS) is a US government standard used to approve cryptographic modules. FIPS-validated products give users the assurance that data within the product is protected using cryptographic algorithms meeting the stringent guidelines and testing procedures established by the FIPS standard. FIPS was established by the National Institute of Standards and Technology (NIST), and defines critical security parameters that vendors must use for encryption. Products sold to the US government must meet FIPS validation criteria. In addition, there is a growing need by organizations processing sensitive data, such as banks, financial institutions, legal and medical institutions, to have the products that they use be FIPS 140-2/3 validated.

FIPS 140-2 requires that any hardware and software cryptographic module implement algorithms from an approved list. FIPS-validated algorithms cover both symmetric and asymmetric encryption algorithms as well as the use of hash standards and message authentication. FIPS 140-2 specifies multiple levels of security, with level 1 being the least secure and level 4 being the most secure. In particular, FIPS 140-2 Level 1 compliance is applicable to software-only distributions such as the HPE Ezmeral Data Fabric. FIPS 140-2 Level 2 and above require control of physical security mechanisms, which do not apply to the data-fabric platform. For more information about the different levels here.

Data-Fabric Approach to FIPS Level 1 Compliance

The HPE Ezmeral Data Fabric solution is installed on user-supplied operating systems, with the JDK supplied by the user. HPE Ezmeral Data Fabric does not bundle the operating system or associated libraries, such as OpenSSL, with the products. Neither does it bundle the JDK.

Therefore, the data-fabric approach to FIPS 140-2 Level 1 compliance is to leverage the operating systems that include FIPS 140-2 Level 1 certified cryptographic libraries provided by the user, as well as support for the Bouncy Castle Java FIPS API bundled with HPE Ezmeral Data Fabric, which runs on a compatible user-supplied JDK. The HPE Ezmeral Data Fabric therefore:
  • Uses the OpenSSL cryptographic module distributed in operating systems supported by the data-fabric core platform that have obtained FIPS 140-2 Level 1 approval. These include:
    • RedHat 8.x (CMVP #3784)
    • Ubuntu 18.04 and 20.04 (CMVP #3980 and 3966)
    • SLES 15 SP 2 (CMVP #3991)
  • For all supported operating systems listed above, uses the Java FIPS API from Bouncy Castle (CMVP #3514) which has FIPS 140-2 Level 1 approval.
  • Includes enhancements to the data-fabric core platform so that all components use only FIPS 140-2 Level 1-validated cryptography when FIPS mode is enabled, and ensures that no sensitive data is stored in plain text.

FIPS 140-2 Certifications

The following certifications are relevant to the HPE Ezmeral Data Fabric core platform as indicated in the Operating System Support Matrix. All certifications in the following table are for FIPS 140-2 since this is the current standard for which approvals can be obtained. Since HPE validates at FIPS 140-2 Level 1, the following certifications can be used on any general- purpose computer running the specified operating system:
Components Operating System / Module Certification
Java Components Linux CentOS/SLES/Ubuntu Bouncy Castle BC-FJA (FIPS Java API) v1.0.2.1
  • FIPS 140-2 Level 1
  • Java Cryptographic API for Java SE 11
  • Tested on Dell PowerEdge R830 Photon OS 2.0, valid for any general-purpose computer running HP-UX and Linux CentOS/SLES/Ubuntu or equivalent
  • CMVP #3514, obtained 8/23/2019, valid until 8/22/2024
  • See Security Policy
C/C++ Components Ubuntu 18.04 OpenSSL Cryptographic Module 2.1
  • FIPS 140-2 Level 1
  • OpenSSL 1.1.1
  • Tested on Supermicro SYS-5018R-WR and IBM z14
  • CMVP #3980, obtained 7/12/2021, valid until 7/11/2026
  • See Security Policy
.
Ubuntu 20.04 OpenSSL Cryptographic Module
  • FIPS 140-2 Level 1
  • OpenSSL 1.1.1
  • CMVP #3966, obtained 7/6/2021, valid until 7/5/2026
RedHat Enterprise Linux 8 OpenSSL Cryptographic Module rhel8.20200305
  • FIPS 140-2 Level 1
  • OpenSSL 1.1.1
  • CMVP #3781, obtained 12/21/2020, valid until 12/20/2025
SUSE Linux Enterprise Server (SLES) 15 SP 2
  • FIPS 140-2 Level 1
  • OpenSSL 1.1.1 (OpenSSL Cryptographic Module 4.1)
  • CMVP #3991, obtained 7/21/2021, valid till 7/21/2026

Interoperability in Mixed-Mode Clusters

Both FIPS-compliant and regular installations work seamlessly on a single cluster and across cluster. Interoperability is supported for mixed-mode clusters running a combination of FIPS-compliant and non FIPS-compliant solutions. Thus, there will be no disruption in operations during a rolling upgrade.

Sensitive Data Is Protected

All sensitive data such as key and trust store passwords, as well as CLDB and DARE master keys, will be protected using FIPS 140-2 Level 1 compliant cryptography. No sensitive data such as passwords and keys are stored in plain text.