Appendix C. Provisioning FIPS Compliant Hosts
Red Hat Satellite 6 supports provisioning hosts that comply with the National Institute of Standards and Technology’s Security Requirements for Cryptographic Modules standard, reference number FIPS 140-2, referred to here as FIPS.
Red Hat Satellite 6 is not supported on a FIPS enabled host.
To enable the provisioning of hosts that are FIPS compliant, complete the following changes:
- Identify the relevant operating systems, locations, and organizations
- Create and enable the FIPS provisioning templates
- Change the provisioning password hashing algorithm
- Change the Puppet message digest algorithm
- Set the FIPS enabled parameter
When these changes are complete, the new provisioning templates will be associated with those operating systems, locations, and organizations you specify. When you provision a host to those operating systems, locations, and organizations, the host will have the FIPS-compliant settings applied. To confirm that these settings have been successful, complete the steps in Section C.6, “Verifying FIPS Mode is Enabled”.
Prerequisites
- Complete the configuration steps from the Authentication section in the Hammer CLI Guide. This allows you to run Hammer commands without providing your Satellite username and password each time.
C.1. Identifying the Relevant Operating Systems, Locations, and Organizations
Before creating the FIPS-compliant templates in Satellite, you must identify those locations, organizations and operating systems to which you want to deploy FIPS-compliant hosts. For example, if you will only deploy Red Hat Enterprise Linux 7 hosts as FIPS compliant, associate the template with only Red Hat Enterprise Linux 7.
- List all locations. - Example - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Note the value in the - NAMEcolumn of those locations to which you want to deploy FIPS-compliant hosts.
- List all organizations. - Example - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Note the value in the - NAMEcolumn of those organizations to which you want to deploy FIPS-compliant hosts.
- List all operating systems. - Example - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Note the value in the - TITLEcolumn of those operating systems to which you want to deploy FIPS-compliant hosts.
C.2. Creating and Enabling the FIPS Provisioning Templates
The FIPS provisioning templates are provided in a git repository. In this procedure you import them into the Satellite environment, then associate them with the desired operating systems, locations, and organizations.
- On the Satellite Server, clone the git repository containing the FIPS enabled templates, then change into the repository’s directory. - git clone https://github.com/RedHatSatellite/satellite6-fips-client cd satellite6-fips-client - $ git clone https://github.com/RedHatSatellite/satellite6-fips-client $ cd satellite6-fips-client- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - This repository contains the following Embedded RuBy (ERB) templates. These are plain text files, which you can view to see in detail the configuration settings they contain. - Kickstart_Default_PXELinux_FIPS.erb- Updated PXELinux template
 
- fips_packages.erb- 
										Packages required by FIPS mode (for example, dracut-fips)
 
- 
										Packages required by FIPS mode (for example, 
- Satellite_Kickstart_Default_FIPS.erb- 
										Kickstart template with modifications to call the fips_packagessnippet
 
- 
										Kickstart template with modifications to call the 
- puppet.conf.erb- 
										Updated puppet.confconfiguration file with updated (SHA256) message digest algorithm
 
- 
										Updated 
 
- Add the PXELinux FIPS template. - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Replace the placeholder values - LOCATIONS,- ORGANIZATION, and- OSwith the values you noted in Section C.1, “Identifying the Relevant Operating Systems, Locations, and Organizations”. If any value contains non-aphabetical characters, enclose the value in quotation marks (").- The message - Config template createdindicates success.- Example - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Add the Satellite Kickstart Default FIPS template. - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Replace the placeholder values - LOCATIONS,- ORGANIZATION, and- OSwith the values you noted in Section C.1, “Identifying the Relevant Operating Systems, Locations, and Organizations”. If any value contains non-aphabetical characters, enclose the value in quotation marks (").- The message - Config template createdindicates success.- Example - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Add the FIPS Packages snippet. - hammer template create --name "fips_packages" \ --file fips_packages.erb \ --locations LOCATIONS \ --organizations ORGANIZATION \ --type snippet - $ hammer template create --name "fips_packages" \ --file fips_packages.erb \ --locations LOCATIONS \ --organizations ORGANIZATION \ --type snippet- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Replace the placeholder values LOCATIONS and ORGANIZATION with the values you noted in Section C.1, “Identifying the Relevant Operating Systems, Locations, and Organizations”. If any value contains non-aphabetical characters, enclose the value in quotation marks ("). - The message - Config template createdindicates success.- Example - hammer template create --name "fips_packages" \ --file fips_packages.erb \ --locations "Default Location" \ --organizations "Default Organization","Sales" \ --type snippet - $ hammer template create --name "fips_packages" \ --file fips_packages.erb \ --locations "Default Location" \ --organizations "Default Organization","Sales" \ --type snippet- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Update the default Puppet configuration snippet. - hammer template update --name puppet.conf \ --file puppet.conf.erb \ --type snippet - $ hammer template update --name puppet.conf \ --file puppet.conf.erb \ --type snippet- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The message - Config template createdindicates success.
- Update the Operating System Object to use the new templates. - Now that the new FIPS templates have been added to Satellite, they must be set as default templates for the desired operating system. - Identify the IDs of the Satellite Kickstart Default FIPS and Kickstart Default PXELinux FIPS templates. - Example - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - In this example, the IDs are 54 and 53 respectively. These IDs are installation specific. 
- Specify the FIPS templates as default. - hammer os set-default-template --config-template-id TEMPLATE \ --id OS - $ hammer os set-default-template --config-template-id TEMPLATE \ --id OS- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Replace the placeholders TEMPLATE and OS with the IDs of the FIPS templates, and the desired operating system, noted earlier. Repeat this command for every combination of FIPS template and operating system. It does not accept a comma-separated list of values. - In this example, the FIPS templates are set as default for Red Hat Enterprise Linux 7.2, identified in an earlier example as ID 1. - Example - hammer os set-default-template --config-template-id 54 --id 1 hammer os set-default-template --config-template-id 53 --id 1 - $ hammer os set-default-template --config-template-id 54 --id 1 $ hammer os set-default-template --config-template-id 53 --id 1- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
C.3. Change the Provisioning Password Hashing Algorithm
This sets the password hashing algorithm used in provisioning to SHA256. This configuration setting must be applied for each operating system you want to deploy as FIPS compliant.
This is required ONLY if Red Hat Satellite 6 was upgraded from Satellite 6.1. Satellite 6.3 uses SHA256 by default.
- Identify the Operating System IDs. - Example - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Update each operating system’s password hash value. - hammer os update --title OS \ --password-hash SHA256 - $ hammer os update --title OS \ --password-hash SHA256- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Repeat this command for each of the desired operating systems, using the matching value in the - TITLEcolumn. It does not accept a comma-separated list of values.- Example - hammer os update --title "RedHat 7.2" \ --password-hash SHA256 - $ hammer os update --title "RedHat 7.2" \ --password-hash SHA256- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
C.4. Switching to a FIPS Compliant Message Algorithm for Puppet
On the Satellite Server, all external Capsule Servers, and all existing hosts, configure Puppet to use the SHA256 message digest algorithm.
				Edit the /etc/puppet/puppet.conf file, adding the line digest_algorithm = sha256 in the [main] stanza.
			
This change will be overwritten on every upgrade of Satellite, so needs to be reapplied afterward.
Because the Puppet message digest algorithm is changed on the Satellite Server and all Capsule Servers, it must also be changed on all hosts, including those that are not FIPS compliant.
In the event of a message digest algorithm mismatch, the client will download its facts again. This will result in a noticeable increased load on the Satellite Server or external Capsule Servers.
C.5. Setting the FIPS Enabled Parameter
				To provision a FIPS compliant host, the FIPS templates require a parameter named fips_enabled to be set to true. If this is not set to true, or is absent, the FIPS specific changes will not be applied. This parameter can be specified when provisioning an individual host, or set for a hostgroup. Retrospectively enabling FIPS compliance on a host is outside the scope of this guide and likely to cause problems.
			
				To set this parameter when provisioning a host, append --parameters fips_enabled=true to the Hammer command.
			
				To set this parameter on an existing host group, use the Hammer sub-command set-parameter. For more information, see the output of the command hammer hostgroup set-parameter --help. Any host provisioned to this hostgroup will inherit the fips_enabled parameter from the hostgroup.
			
Example
hammer hostgroup set-parameter --name fips_enabled \ --value true \ --hostgroup prod_servers
$ hammer hostgroup set-parameter --name fips_enabled \
 --value true \
 --hostgroup prod_serversC.6. Verifying FIPS Mode is Enabled
To verify these FIPS compliance changes have been successful, you must provision a host and check its configuration.
- 
						Deploy a host using the FIPS templates, ensuring that parameter named fips_enabled is set to true.
- Log in to the new host as a root-equivalent account.
- 
						Enter the command cat /proc/sys/crypto/fips_enabled. A value of1confirms that FIPS mode is enabled.