Red Hat SummitChapter 9. Federal Information Processing Standard on Red Hat OpenStack Platform
The Federal Information Processing Standards (FIPS) is a set of security requirements developed by the National Institute of Standards and Technology (NIST). In Red Hat Enterprise Linux 9, the supported standard is FIPS publication 140-3: Security Requirements for Cryptographic Modules. For details about the supported standard, see the Federal Information Processing Standards Publication 140-3.
These security requirements define acceptable cryptographic algorithms and the use of those cryptographic algorithms, including security modules.
- FIPS 140-3 validation is achieved by using only those cryptographic algorithms approved through FIPS, in the manner prescribed, and through validated modules.
- FIPS 140-3 compatibility is achieved by using only those cryptographic algorithms approved through FIPS.
Red Hat OpenStack Platform 17 is FIPS 140-3 compatible. You can take advantage of FIPS compatibility by using images provided by Red Hat to deploy your overcloud.
OpenStack 17.1 is based on Red Hat Enterprise Linux (RHEL) 9.2. RHEL 9.2 has not yet been submitted for FIPS validation. Red Hat expects, though cannot commit to a specific timeframe, to obtain FIPS validation for RHEL 9.0 and RHEL 9.2 modules, and later even minor releases of RHEL 9.x. Updates will be available in Compliance Activities and Government Standards.
9.1. Enabling FIPS
When you enable FIPS, you must complete a series of steps during the installation of the undercloud and overcloud.
Prerequisites
- You have installed Red Hat Enterprise Linux and are prepared to begin the installation of Red Hat OpenStack Platform director.
- Red Hat Ceph Storage 6 or later deployed, if you are using Red Hat Ceph Storage as the storage backend.
Procedure
Enable FIPS on the undercloud:
Enable FIPS on the system on which you plan to install the undercloud:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow fips-mode-setup --enable
fips-mode-setup --enableNoteThis step will add the
fips=1kernel parameter to your GRUB configuration file. As a result, only cryptographic algorithms modules used by Red Hat Enterprise Linux are in FIPS mode and only cryptographic algorithms approved by the standard are used.- Reboot the system.
Verify that FIPS is enabled:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow fips-mode-setup --check
fips-mode-setup --check- Install and configure Red Hat OpenStack Platform director. For more information see: Installing director on the undercloud.
Prepare FIPS-enabled images for the overcloud.
Install images for the overcloud:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow sudo dnf -y install rhosp-director-images-uefi-fips-x86_64
sudo dnf -y install rhosp-director-images-uefi-fips-x86_64Create the
imagesdirectory in the home directory of thestackuser:Copy to Clipboard Copied! Toggle word wrap Toggle overflow mkdir /home/stack/images cd /home/stack/images
$ mkdir /home/stack/images $ cd /home/stack/imagesExtract the images to your home directory:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow for i in /usr/share/rhosp-director-images/*fips*.tar; do tar -xvf $i; done
for i in /usr/share/rhosp-director-images/*fips*.tar; do tar -xvf $i; doneYou must create symlinks before uploading the images:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow ln -s ironic-python-agent-fips.initramfs ironic-python-agent.initramfs ln -s ironic-python-agent-fips.kernel ironic-python-agent.kernel ln -s overcloud-hardened-uefi-full-fips.qcow2 overcloud-hardened-uefi-full.qcow2
ln -s ironic-python-agent-fips.initramfs ironic-python-agent.initramfs ln -s ironic-python-agent-fips.kernel ironic-python-agent.kernel ln -s overcloud-hardened-uefi-full-fips.qcow2 overcloud-hardened-uefi-full.qcow2Upload the FIPS-enabled overcloud images to the Image service:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow openstack overcloud image upload --update-existing --whole-disk
openstack overcloud image upload --update-existing --whole-diskNoteYou must use the
--update-existingflag even if there are no images currently in the OpenStack Image service.
Enable FIPS on the overcloud.
Configure templates for an overcloud deployment specific to your environment. Include all configuration templates in the deployment command, including fips.yaml:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow openstack overcloud deploy ... -e /usr/share/openstack-tripleo-heat-templates/environments/fips.yaml
openstack overcloud deploy ... -e /usr/share/openstack-tripleo-heat-templates/environments/fips.yaml
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}