Chapter 9. Federal Information Processing Standard on Red Hat OpenStack Platform
The Federal Information Processing Standards (FIPS) is a set of security requirements developed by the National Institute of Standards and Technology (NIST). In Red Hat Enterprise Linux 9, the supported standard is FIPS publication 140-3: Security Requirements for Cryptographic Modules. For details about the supported standard, see the Federal Information Processing Standards Publication 140-3.
These security requirements define acceptable cryptographic algorithms and the use of those cryptographic algorithms, including security modules.
- FIPS 140-3 validation is achieved by using only those cryptographic algorithms approved through FIPS, in the manner prescribed, and through validated modules.
- FIPS 140-3 compatibility is achieved by using only those cryptographic algorithms approved through FIPS.
Red Hat OpenStack Platform 17 is FIPS 140-3 compatible. You can take advantage of FIPS compatibility by using images provided by Red Hat to deploy your overcloud.
OpenStack 17.1 is based on Red Hat Enterprise Linux (RHEL) 9.2. RHEL 9.2 has not yet been submitted for FIPS validation. Red Hat expects, though cannot commit to a specific timeframe, to obtain FIPS validation for RHEL 9.0 and RHEL 9.2 modules, and later even minor releases of RHEL 9.x. Updates will be available in Compliance Activities and Government Standards.
9.1. Enabling FIPS
When you enable FIPS, you must complete a series of steps during the installation of the undercloud and overcloud.
- You have installed Red Hat Enterprise Linux and are prepared to begin the installation of Red Hat OpenStack Platform director.
- Red Hat Ceph Storage 6 or later deployed, if you are using Red Hat Ceph Storage as the storage backend.
Enable FIPS on the undercloud:
Enable FIPS on the system on which you plan to install the undercloud:
This step will add the
fips=1kernel parameter to your GRUB configuration file. As a result, only cryptographic algorithms modules used by Red Hat Enterprise Linux are in FIPS mode and only cryptographic algorithms approved by the standard are used.
- Reboot the system.
Verify that FIPS is enabled:
- Install and configure Red Hat OpenStack Platform director. For more information see: Installing director on the undercloud.
Prepare FIPS-enabled images for the overcloud.
Install images for the overcloud:
sudo dnf -y install rhosp-director-images-uefi-fips-x86_64
imagesdirectory in the home directory of the
$ mkdir /home/stack/images $ cd /home/stack/images
Extract the images to your home directory:
for i in /usr/share/rhosp-director-images/*fips*.tar; do tar -xvf $i; done
You must create symlinks before uploading the images:
ln -s ironic-python-agent-fips.initramfs ironic-python-agent.initramfs ln -s ironic-python-agent-fips.kernel ironic-python-agent.kernel ln -s overcloud-hardened-uefi-full-fips.qcow2 overcloud-hardened-uefi-full.qcow2
Upload the FIPS-enabled overcloud images to the Image service:
openstack overcloud image upload --update-existing --whole-diskNote
You must use the
--update-existingflag even if there are no images currently in the OpenStack Image service.
Enable FIPS on the overcloud.
Configure templates for an overcloud deployment specific to your environment. Include all configuration templates in the deployment command, including fips.yaml:
openstack overcloud deploy ... -e /usr/share/openstack-tripleo-heat-templates/environments/fips.yaml