Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

Chapter 6. Federal Information Processing Standard on Red Hat OpenStack Services on OpenShift

The Federal Information Processing Standards (FIPS) is a set of security requirements developed by the National Institute of Standards and Technology (NIST). FIPS is enabled by default in Red Hat OpenStack Services on OpenShift (RHOSO) when you install RHOSO on a FIPS enabled Red Hat OpenShift Container Platform (RHOCP) cluster. Therefore, you must enable FIPS on the initial install of RHOCP.

In Red Hat Enterprise Linux 9, the supported standard is FIPS publication 140-3: Security Requirements for Cryptographic Modules. FIPS 140-3 validated cryptographic modules are cryptographic libraries that have completed the NIST CMVP process and have received a certificate from NIST.

When you use the system-wide cryptographic policy, FIPS 140 mode, RHEL and CoreOS are designed to restrict the use of core cryptographic modules and libraries to those that have been FIPS-validated. Nowever, Paramiko implements cryptographic functions in code and has not been FIPS-validated. RHOSO core components use the RHEL cryptographic libraries submitted to NIST for FIPS validation unless they call Paramiko.

6.1. Checking FIPS status on RHOCP
Copia collegamento

You can check the FIPS status of Red Hat OpenShift Container Platform (RHOCP) or deployed worker nodes.

Procedure

  1. Log in to your Red Hat OpenShift Container Platform (RHOCP) cluster as a user with cluster-admin privileges.

  2. Get a list of the nodes in the cluster: 

    $ oc get nodes

    For example: 

    NAME  	STATUS   ROLES              	AGE	VERSION
master1   Ready	control-plane,master   7d1h   v1.28.6+6216ea1
master2   Ready	control-plane,master   7d1h   v1.28.6+6216ea1
master3   Ready	control-plane,master   7d1h   v1.28.6+6216ea1
worker1   Ready	worker             	7d1h   v1.28.6+6216ea1
worker2   Ready	worker             	7d1h   v1.28.6+6216ea1
worker3   Ready	worker

  3. Open a debug pod on one of the nodes shown in the output of the previous step: 

    $ oc debug node/worker2

    For example: 

    Temporary namespace openshift-debug-rq2m8 is created for debugging node...
Starting pod/worker2-debug-5shqt ...
To use host binaries, run `chroot /host`
Pod IP: 192.168.50.112
If you don't see a command prompt, try pressing enter.
sh-5.1#

  4. Check for fips_enabled in /proc 

    sh-5.1# cat /proc/sys/crypto/fips_enabled

    1 is displayed for enabled, 0 for disabled:

You must modify iscsi.conf on the Red Hat OpenShift Container Platform (RHOCP) cluster to remove MD5 and SHA1 because the iSCSId configuration for the control plane is not handled by the Red Hat OpenStack Services on OpenShift (RHOSO) Operators.

Prerequisites

Procedure

  • On each of your nodes, ensure that the value of node.session.auth.chap_algs in the /etc/iscsi/iscsi.conf file is set to SHA3-256,SHA256.

6.3. Additional resources
Copia collegamento

Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2026 Red HatTorna in cima