Chapter 2. FIPS support
Federal Information Processing Standards (FIPS) are standards for computer security and interoperability. To use FIPS with Streams for Apache Kafka, you must have a FIPS-compliant OpenJDK (Open Java Development Kit) installed on your system. If your RHEL system is FIPS-enabled, OpenJDK automatically switches to FIPS mode when running Streams for Apache Kafka. This ensures that Streams for Apache Kafka uses the FIPS-compliant security libraries provided by OpenJDK.
Minimum password length
When running in the FIPS mode, SCRAM-SHA-512 passwords need to be at least 32 characters long. If you have a Kafka cluster with custom configuration that uses a password length that is less than 32 characters, you need to update your configuration. If you have any users with passwords shorter than 32 characters, you need to regenerate a password with the required length.
Additional resources
2.1. Installing Streams for Apache Kafka with FIPS mode enabled
Enable FIPS mode before you install Streams for Apache Kafka on RHEL. Red Hat recommends installing RHEL with FIPS mode enabled, as opposed to enabling FIPS mode later. Enabling FIPS mode during the installation ensures that the system generates all keys with FIPS-approved algorithms and continuous monitoring tests in place.
With RHEL running in FIPS mode, you must ensure that the Streams for Apache Kafka configuration is FIPS-compliant. Additionally, your Java implementation must also be FIPS-compliant.
Running Streams for Apache Kafka on RHEL in FIPS mode requires a FIPS-compliant JDK.
Procedure
Install RHEL in FIPS mode.
For further information, see the information on security hardening in the RHEL documentation.
- Proceed with the installation of Streams for Apache Kafka.
Configure Streams for Apache Kafka to use FIPS-compliant algorithms and protocols.
If used, ensure that the following configuration is compliant:
- SSL cipher suites and TLS versions must be supported by the JDK framework.
- SCRAM-SHA-512 passwords must be at least 32 characters long.
Make sure that your installation environment and Streams for Apache Kafka configuration remains compliant as FIPS requirements change.