Questo contenuto non è disponibile nella lingua selezionata.

Appendix C. Provisioning FIPS-compliant Hosts


Red Hat Satellite 6 supports provisioning hosts that comply with the National Institute of Standards and Technology’s Security Requirements for Cryptographic Modules standard, reference number FIPS 140-2, referred to here as FIPS.

To enable the provisioning of hosts that are FIPS-compliant, complete the following changes:

  • Identify the relevant operating systems, locations, and organizations
  • Create and enable the FIPS provisioning templates
  • Change the provisioning password hashing algorithm
  • Change the Puppet message digest algorithm
  • Set the FIPS enabled parameter

When these changes are complete, the new provisioning templates will be associated with those operating systems, locations, and organizations you specify. When you provision a host to those operating systems, locations, and organizations, the host will have the FIPS-compliant settings applied. To confirm that these settings have been successful, complete the steps in Section C.6, “Verifying FIPS Mode is Enabled”.

Prerequisites

  • Complete the configuration steps from the Authentication section in the Hammer CLI Guide. This allows you to run Hammer commands without providing your Satellite username and password each time.

C.1. Identifying the Relevant Operating Systems, Locations, and Organizations

Before creating the FIPS-compliant templates in Satellite, you must identify those locations, organizations and operating systems to which you want to deploy FIPS-compliant hosts. For example, if you will only deploy Red Hat Enterprise Linux 7 hosts as FIPS-compliant, associate the template with only Red Hat Enterprise Linux 7.

  1. List all locations.

    Example

    $ hammer location list
    ---|-----------------
    ID | NAME
    ---|-----------------
    2  | Default Location
    ---|-----------------
    Copy to Clipboard Toggle word wrap

    Note the value in the NAME column of those locations to which you want to deploy FIPS-compliant hosts.

  2. List all organizations.

    Example

    ---|----------------------|----------------------|------------
    ID | NAME                 | LABEL                | DESCRIPTION
    ---|----------------------|----------------------|------------
    1  | Default Organization | Default_Organization |
    2  | Sales                | Sales_Department     |
    ---|----------------------|----------------------|------------
    Copy to Clipboard Toggle word wrap

    Note the value in the NAME column of those organizations to which you want to deploy FIPS-compliant hosts.

  3. List all operating systems.

    Example

    $ hammer os list
    ---|-----------------|--------------|-------
    ID | TITLE           | RELEASE NAME | FAMILY
    ---|-----------------|--------------|-------
    2  | RedHat 6.6      |              | Redhat
    3  | RedHat 7.1      |              | Redhat
    1  | RedHat 7.2      |              | Redhat
    4  | RedHat 6.7      |              | Redhat
    ---|-----------------|--------------|-------
    Copy to Clipboard Toggle word wrap

    Note the value in the TITLE column of those operating systems to which you want to deploy FIPS-compliant hosts.

C.2. Creating and Enabling the FIPS Provisioning Templates

The FIPS provisioning templates are provided in a git repository. In this procedure you import them into the Satellite environment, then associate them with the desired operating systems, locations, and organizations.

  1. On the Satellite Server, clone the git repository containing the FIPS enabled templates, then change into the repository’s directory.

    $ git clone https://github.com/RedHatSatellite/satellite6-fips-client
    $ cd satellite6-fips-client
    Copy to Clipboard Toggle word wrap

    This repository contains the following Embedded RuBy (ERB) templates. These are plain text files, which you can view to see in detail the configuration settings they contain.

    • Kickstart_Default_PXELinux_FIPS.erb

      • Updated PXELinux template
    • fips_packages.erb

      • Packages required by FIPS mode (for example, dracut-fips)
    • Satellite_Kickstart_Default_FIPS.erb

      • Kickstart template with modifications to call the fips_packages snippet
    • puppet.conf.erb

      • Updated puppet.conf configuration file with updated (SHA256) message digest algorithm
  2. Add the PXELinux FIPS template.

    $ hammer template create  --name "Kickstart Default PXELinux FIPS" \
      --file Kickstart_Default_PXELinux_FIPS.erb  \
      --locations LOCATIONS \
      --organizations ORGANIZATION \
      --operatingsystems OS \
      --type PXELinux
    Copy to Clipboard Toggle word wrap

    Replace the placeholder values LOCATIONS, ORGANIZATION, and OS with the values you noted in Section C.1, “Identifying the Relevant Operating Systems, Locations, and Organizations”. If any value contains non-aphabetical characters, enclose the value in quotation marks (").

    The message Config template created indicates success.

    Example

    $ hammer template create  --name "Kickstart Default PXELinux FIPS" \
      --file Kickstart_Default_PXELinux_FIPS.erb \
      --locations "Default Location" \
      --organizations "Default Organization","Sales" \
      --operatingsystems "RedHat 6.6","RedHat 7.1","RedHat 7.2","RedHat 6.7" \
      --type PXELinux
    Copy to Clipboard Toggle word wrap

  3. Add the Satellite Kickstart Default FIPS template.

    $ hammer template create  --name "Satellite Kickstart Default FIPS" \
      --file Satellite_Kickstart_Default_FIPS.erb  \
      --locations LOCATIONS \
      --organizations ORGANIZATION \
      --operatingsystems OS \
      --type provision
    Copy to Clipboard Toggle word wrap

    Replace the placeholder values LOCATIONS, ORGANIZATION, and OS with the values you noted in Section C.1, “Identifying the Relevant Operating Systems, Locations, and Organizations”. If any value contains non-aphabetical characters, enclose the value in quotation marks (").

    The message Config template created indicates success.

    Example

    $ hammer template create  --name "Satellite Kickstart Default FIPS" \
      --file Satellite_Kickstart_Default_FIPS.erb  \
      --locations "Default Location" \
      --organizations "Default Organization","Sales" \
      --operatingsystems "RedHat 6.6","RedHat 7.1","RedHat 7.2","RedHat 6.7" \
      --type provision
    Copy to Clipboard Toggle word wrap

  4. Add the FIPS Packages snippet.

    $ hammer template create  --name "fips_packages" \
      --file fips_packages.erb \
      --locations LOCATIONS \
      --organizations ORGANIZATION \
      --type snippet
    Copy to Clipboard Toggle word wrap

    Replace the placeholder values LOCATIONS and ORGANIZATION with the values you noted in Section C.1, “Identifying the Relevant Operating Systems, Locations, and Organizations”. If any value contains non-aphabetical characters, enclose the value in quotation marks (").

    The message Config template created indicates success.

    Example

    $ hammer template create  --name "fips_packages" \
      --file fips_packages.erb \
      --locations "Default Location" \
      --organizations "Default Organization","Sales" \
      --type snippet
    Copy to Clipboard Toggle word wrap

  5. Update the default Puppet configuration snippet.

    $ hammer template update --name puppet.conf \
      --file puppet.conf.erb  \
      --type snippet
    Copy to Clipboard Toggle word wrap

    The message Config template created indicates success.

  6. Update the Operating System Object to use the new templates.

    Now that the new FIPS templates have been added to Satellite, they must be set as default templates for the desired operating system.

    1. Identify the IDs of the Satellite Kickstart Default FIPS and Kickstart Default PXELinux FIPS templates.

      Example

      $ hammer template list
      ---|---------------------------------------|----------
      ID | NAME                                  | TYPE
      ---|---------------------------------------|----------
      41 | redhat_register                       | snippet
      42 | saltstack_minion                      | snippet
      53 | Kickstart Default PXELinux FIPS       | PXELinux
      46 | Satellite Kickstart Default           | provision
      48 | Satellite Kickstart Default Finish    | finish
      54 | Satellite Kickstart Default FIPS      | provision
      47 | Satellite Kickstart Default User Data | user_data
      50 | subscription_manager_registration     | snippet
      29 | UserData default                      | user_data
      30 | WAIK default PXELinux                 | PXELinux
      ---|---------------------------------------|----------
      Copy to Clipboard Toggle word wrap

      In this example, the IDs are 54 and 53 respectively. These IDs are installation specific.

    2. Specify the FIPS templates as default.

      $ hammer os set-default-template --config-template-id TEMPLATE \
      --id OS
      Copy to Clipboard Toggle word wrap

      Replace the placeholders TEMPLATE and OS with the IDs of the FIPS templates, and the desired operating system, noted earlier. Repeat this command for every combination of FIPS template and operating system. It does not accept a comma-separated list of values.

      In this example, the FIPS templates are set as default for Red Hat Enterprise Linux 7.2, identified in an earlier example as ID 1.

      Example

      $ hammer os set-default-template --config-template-id 54 --id 1
      $ hammer os set-default-template --config-template-id 53 --id 1
      Copy to Clipboard Toggle word wrap

C.3. Change the Provisioning Password Hashing Algorithm

This sets the password hashing algorithm used in provisioning to SHA256. This configuration setting must be applied for each operating system you want to deploy as FIPS-compliant.

Note

This is required ONLY if Red Hat Satellite 6 was upgraded from Satellite 6.1. Satellite 6.5 uses SHA256 by default.

  1. Identify the Operating System IDs.

    Example

    $ hammer os list
    ---|-----------------|--------------|-------
    ID | TITLE           | RELEASE NAME | FAMILY
    ---|-----------------|--------------|-------
    2  | RedHat 6.6      |              | Redhat
    3  | RedHat 7.1      |              | Redhat
    1  | RedHat 7.2      |              | Redhat
    4  | RedHat 6.7      |              | Redhat
    ---|-----------------|--------------|-------
    Copy to Clipboard Toggle word wrap

  2. Update each operating system’s password hash value.

    $ hammer os update --title OS \
      --password-hash SHA256
    Copy to Clipboard Toggle word wrap

    Repeat this command for each of the desired operating systems, using the matching value in the TITLE column. It does not accept a comma-separated list of values.

    Example

    $ hammer os update --title "RedHat 7.2" \
      --password-hash SHA256
    Copy to Clipboard Toggle word wrap

C.4. Switching to a FIPS-compliant Message Algorithm for Puppet

On the Satellite Server, all external Capsule Servers, and all existing hosts, configure Puppet to use the SHA256 message digest algorithm.

Edit the /etc/puppetlabs/puppet/puppet.conf file, adding the line digest_algorithm = sha256 in the [main] stanza.

Note

This change will be overwritten on every upgrade of Satellite, so needs to be reapplied afterward.

Because the Puppet message digest algorithm is changed on the Satellite Server and all Capsule Servers, it must also be changed on all hosts, including those that are not FIPS-compliant.

In the event of a message digest algorithm mismatch, the client will download its facts again. This will result in a noticeable increased load on the Satellite Server or external Capsule Servers.

C.5. Setting the FIPS Enabled Parameter

To provision a FIPS-compliant host, the FIPS templates require a parameter named fips_enabled to be set to true. If this is not set to true, or is absent, the FIPS specific changes will not be applied. This parameter can be specified when provisioning an individual host, or set for a hostgroup. Retrospectively enabling FIPS compliance on a host is outside the scope of this guide and likely to cause problems.

To set this parameter when provisioning a host, append --parameters fips_enabled=true to the Hammer command.

To set this parameter on an existing host group, use the Hammer sub-command set-parameter. For more information, see the output of the command hammer hostgroup set-parameter --help. Any host provisioned to this hostgroup will inherit the fips_enabled parameter from the hostgroup.

Example

$ hammer hostgroup set-parameter --name fips_enabled \
 --value 'true' \
 --hostgroup prod_servers
Copy to Clipboard Toggle word wrap

C.6. Verifying FIPS Mode is Enabled

To verify these FIPS compliance changes have been successful, you must provision a host and check its configuration.

  1. Deploy a host using the FIPS templates, ensuring that parameter named fips_enabled is set to true.
  2. Log in to the new host as a root-equivalent account.
  3. Enter the command cat /proc/sys/crypto/fips_enabled. A value of 1 confirms that FIPS mode is enabled.
Torna in cima
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2025 Red Hat