Red Hat SummitDieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 9. Federal Information Processing Standard on Red Hat OpenStack Platform
This feature is available in this release as a Technology Preview, and therefore is not fully supported by Red Hat. It should only be used for testing, and should not be deployed in a production environment. For more information about Technology Preview features, see Scope of Coverage Details.
The Federal Information Processing Standards (FIPS) is a set of security requirements developed by the National Institute of Standards and Technology (NIST). In Red Hat Enterprise Linux 9, the supported standard is FIPS publication 140-3: Security Requirements for Cryptographic Modules. For details about the supported standard, see the Federal Information Processing Standards Publication 140-3.
These security requirements define acceptable cryptographic algorithms and the use of those cryptographic algorithms, including security modules.
- FIPS 140-3 validation is achieved by using only those cryptographic algorithms approved through FIPS, in the manner prescribed, and through validated modules.
- FIPS 140-3 compatibility is achieved by using only those cryptographic algorithms approved through FIPS.
Red Hat OpenStack Platform 17 is FIPS 140-3 compatible. You can take advantage of FIPS compatibility by using images provided by Red Hat to deploy your overcloud.
OpenStack 17.1 is based on Red Hat Enterprise Linux (RHEL) 9.2. RHEL 9.2 has not yet been submitted for FIPS validation. Red Hat expects, though cannot commit to a specific timeframe, to obtain FIPS validation for RHEL 9.0 and RHEL 9.2 modules, and later even minor releases of RHEL 9.x. Updates will be available in Compliance Activities and Government Standards.
9.1. Enabling FIPS
When you enable FIPS, you must complete a series of steps during the installation of the undercloud and overcloud.
Prerequisites
- You have installed Red Hat Enterprise Linux and are prepared to begin the installation of Red Hat OpenStack Platform director.
Procedure
Enable FIPS on the undercloud:
Enable FIPS on the system on which you plan to install the undercloud:
fips-mode-setup --enable
fips-mode-setup --enableCopy to Clipboard Copied! Toggle word wrap Toggle overflow NoteThis step will add the
fips=1kernel parameter to your GRUB configuration file. As a result, only cryptographic algorithms modules used by Red Hat Enterprise Linux are in FIPS mode and only cryptographic algorithms approved by the standard are used.- Reboot the system.
Verify that FIPS is enabled:
fips-mode-setup --check
fips-mode-setup --checkCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Install and configure Red Hat OpenStack Platform director. For more information see: Installing director on the undercloud.
Prepare FIPS-enabled images for the overcloud.
Install images for the overcloud:
sudo dnf -y install rhosp-director-images-uefi-fips-x86_64
sudo dnf -y install rhosp-director-images-uefi-fips-x86_64Copy to Clipboard Copied! Toggle word wrap Toggle overflow Create the
imagesdirectory in the home directory of thestackuser:mkdir /home/stack/images cd /home/stack/images
$ mkdir /home/stack/images $ cd /home/stack/imagesCopy to Clipboard Copied! Toggle word wrap Toggle overflow Extract the images to your home directory:
for i in /usr/share/rhosp-director-images/*fips*.tar; do tar -xvf $i; done
for i in /usr/share/rhosp-director-images/*fips*.tar; do tar -xvf $i; doneCopy to Clipboard Copied! Toggle word wrap Toggle overflow You must create symlinks before uploading the images:
ln -s ironic-python-agent-fips.initramfs ironic-python-agent.initramfs ln -s ironic-python-agent-fips.kernel ironic-python-agent.kernel ln -s overcloud-hardened-uefi-full-fips.qcow2 overcloud-hardened-uefi-full.qcow2
ln -s ironic-python-agent-fips.initramfs ironic-python-agent.initramfs ln -s ironic-python-agent-fips.kernel ironic-python-agent.kernel ln -s overcloud-hardened-uefi-full-fips.qcow2 overcloud-hardened-uefi-full.qcow2Copy to Clipboard Copied! Toggle word wrap Toggle overflow Upload the FIPS-enabled overcloud images to the Image service:
openstack overcloud image upload --update-existing --whole-disk
openstack overcloud image upload --update-existing --whole-diskCopy to Clipboard Copied! Toggle word wrap Toggle overflow NoteYou must use the
--update-existingflag even if there are no images currently in the OpenStack Image service.
Enable FIPS on the overcloud.
Configure templates for an overcloud deployment specific to your environment. Include all configuration templates in the deployment command, including fips.yaml:
openstack overcloud deploy ... -e /usr/share/openstack-tripleo-heat-templates/environents/fips.yaml
openstack overcloud deploy ... -e /usr/share/openstack-tripleo-heat-templates/environents/fips.yamlCopy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}