Chapter 9. Federal Information Processing Standard on Red Hat OpenStack Platform

The Federal Information Processing Standards (FIPS) is a set of security requirements developed by the National Institute of Standards and Technology (NIST). In Red Hat Enterprise Linux 9, the supported standard is FIPS publication 140-3: Security Requirements for Cryptographic Modules. For details about the supported standard, see the Federal Information Processing Standards Publication 140-3.

These security requirements define acceptable cryptographic algorithms and the use of those cryptographic algorithms, including security modules.

  • FIPS 140-3 validation is achieved by using only those cryptographic algorithms approved through FIPS, in the manner prescribed, and through validated modules.
  • FIPS 140-3 compatibility is achieved by using only those cryptographic algorithms approved through FIPS.

Red Hat OpenStack Platform 17 is FIPS 140-3 compatible. You can take advantage of FIPS compatibility by using images provided by Red Hat to deploy your overcloud.

Note

OpenStack 17.1 is based on Red Hat Enterprise Linux (RHEL) 9.2. RHEL 9.2 has not yet been submitted for FIPS validation. Red Hat expects, though cannot commit to a specific timeframe, to obtain FIPS validation for RHEL 9.0 and RHEL 9.2 modules, and later even minor releases of RHEL 9.x. Updates will be available in Compliance Activities and Government Standards.

9.1. Enabling FIPS

When you enable FIPS, you must complete a series of steps during the installation of the undercloud and overcloud.

Prerequisites

  • You have installed Red Hat Enterprise Linux and are prepared to begin the installation of Red Hat OpenStack Platform director.
  • Red Hat Ceph Storage 6 or later deployed, if you are using Red Hat Ceph Storage as the storage backend.

Procedure

  1. Enable FIPS on the undercloud:

    1. Enable FIPS on the system on which you plan to install the undercloud:

      fips-mode-setup --enable
      Note

      This step will add the fips=1 kernel parameter to your GRUB configuration file. As a result, only cryptographic algorithms modules used by Red Hat Enterprise Linux are in FIPS mode and only cryptographic algorithms approved by the standard are used.

    2. Reboot the system.
    3. Verify that FIPS is enabled:

      fips-mode-setup --check
    4. Install and configure Red Hat OpenStack Platform director. For more information see: Installing director on the undercloud.
  2. Prepare FIPS-enabled images for the overcloud.

    1. Install images for the overcloud:

      sudo dnf -y install rhosp-director-images-uefi-fips-x86_64
    2. Create the images directory in the home directory of the stack user:

      $ mkdir /home/stack/images
      $ cd /home/stack/images
    3. Extract the images to your home directory:

      for i in /usr/share/rhosp-director-images/*fips*.tar; do tar -xvf $i; done
    4. You must create symlinks before uploading the images:

      ln -s ironic-python-agent-fips.initramfs       ironic-python-agent.initramfs
      ln -s ironic-python-agent-fips.kernel          ironic-python-agent.kernel
      ln -s overcloud-hardened-uefi-full-fips.qcow2  overcloud-hardened-uefi-full.qcow2
    5. Upload the FIPS-enabled overcloud images to the Image service:

       openstack overcloud image upload --update-existing --whole-disk
      Note

      You must use the --update-existing flag even if there are no images currently in the OpenStack Image service.

  3. Enable FIPS on the overcloud.

    Configure templates for an overcloud deployment specific to your environment. Include all configuration templates in the deployment command, including fips.yaml:

    openstack overcloud deploy
    ...
    -e /usr/share/openstack-tripleo-heat-templates/environments/fips.yaml