此内容没有您所选择的语言版本。
Appendix C. Provisioning FIPS Compliant Hosts
Red Hat Satellite 6 supports provisioning hosts that comply with the National Institute of Standards and Technology’s Security Requirements for Cryptographic Modules standard, reference number FIPS 140-2, referred to here as FIPS.
Red Hat Satellite 6 is not supported on a FIPS enabled host.
To enable the provisioning of hosts that are FIPS compliant, complete the following changes:
- Identify the relevant operating systems, locations, and organizations
- Create and enable the FIPS provisioning templates
- Change the provisioning password hashing algorithm
- Change the Puppet message digest algorithm
- Set the FIPS enabled parameter
When these changes are complete, the new provisioning templates will be associated with those operating systems, locations, and organizations you specify. When you provision a host to those operating systems, locations, and organizations, the host will have the FIPS-compliant settings applied. To confirm that these settings have been successful, complete the steps in Section C.6, “Verifying FIPS Mode is Enabled”.
Prerequisites
- Complete the configuration steps from the Authentication section in the Hammer CLI Guide. This allows you to run Hammer commands without providing your Satellite username and password each time.
C.1. Identifying the Relevant Operating Systems, Locations, and Organizations
Before creating the FIPS-compliant templates in Satellite, you must identify those locations, organizations and operating systems to which you want to deploy FIPS-compliant hosts. For example, if you will only deploy Red Hat Enterprise Linux 7 hosts as FIPS compliant, associate the template with only Red Hat Enterprise Linux 7.
List all locations.
Example
$ hammer location list ---|----------------- ID | NAME ---|----------------- 2 | Default Location ---|-----------------
Note the value in the
NAME
column of those locations to which you want to deploy FIPS-compliant hosts.List all organizations.
Example
---|----------------------|----------------------|------------ ID | NAME | LABEL | DESCRIPTION ---|----------------------|----------------------|------------ 1 | Default Organization | Default_Organization | 2 | Sales | Sales_Department | ---|----------------------|----------------------|------------
Note the value in the
NAME
column of those organizations to which you want to deploy FIPS-compliant hosts.List all operating systems.
Example
$ hammer os list ---|-----------------|--------------|------- ID | TITLE | RELEASE NAME | FAMILY ---|-----------------|--------------|------- 2 | RedHat 6.6 | | Redhat 3 | RedHat 7.1 | | Redhat 1 | RedHat 7.2 | | Redhat 4 | RedHat 6.7 | | Redhat ---|-----------------|--------------|-------
Note the value in the
TITLE
column of those operating systems to which you want to deploy FIPS-compliant hosts.
C.2. Creating and Enabling the FIPS Provisioning Templates
The FIPS provisioning templates are provided in a git repository. In this procedure you import them into the Satellite environment, then associate them with the desired operating systems, locations, and organizations.
On the Satellite Server, clone the git repository containing the FIPS enabled templates, then change into the repository’s directory.
$ git clone https://github.com/RedHatSatellite/satellite6-fips-client $ cd satellite6-fips-client
This repository contains the following Embedded RuBy (ERB) templates. These are plain text files, which you can view to see in detail the configuration settings they contain.
Kickstart_Default_PXELinux_FIPS.erb
- Updated PXELinux template
fips_packages.erb
-
Packages required by FIPS mode (for example,
dracut-fips
)
-
Packages required by FIPS mode (for example,
Satellite_Kickstart_Default_FIPS.erb
-
Kickstart template with modifications to call the
fips_packages
snippet
-
Kickstart template with modifications to call the
puppet.conf.erb
-
Updated
puppet.conf
configuration file with updated (SHA256) message digest algorithm
-
Updated
Add the PXELinux FIPS template.
$ hammer template create --name "Kickstart Default PXELinux FIPS" \ --file Kickstart_Default_PXELinux_FIPS.erb \ --locations LOCATIONS \ --organizations ORGANIZATION \ --operatingsystems OS \ --type PXELinux
Replace the placeholder values
LOCATIONS
,ORGANIZATION
, andOS
with the values you noted in Section C.1, “Identifying the Relevant Operating Systems, Locations, and Organizations”. If any value contains non-aphabetical characters, enclose the value in quotation marks (").The message
Config template created
indicates success.Example
$ hammer template create --name "Kickstart Default PXELinux FIPS" \ --file Kickstart_Default_PXELinux_FIPS.erb \ --locations "Default Location" \ --organizations "Default Organization","Sales" \ --operatingsystems "RedHat 6.6","RedHat 7.1","RedHat 7.2","RedHat 6.7" \ --type PXELinux
Add the Satellite Kickstart Default FIPS template.
$ hammer template create --name "Satellite Kickstart Default FIPS" \ --file Satellite_Kickstart_Default_FIPS.erb \ --locations LOCATIONS \ --organizations ORGANIZATION \ --operatingsystems OS \ --type provision
Replace the placeholder values
LOCATIONS
,ORGANIZATION
, andOS
with the values you noted in Section C.1, “Identifying the Relevant Operating Systems, Locations, and Organizations”. If any value contains non-aphabetical characters, enclose the value in quotation marks (").The message
Config template created
indicates success.Example
$ hammer template create --name "Satellite Kickstart Default FIPS" \ --file Satellite_Kickstart_Default_FIPS.erb \ --locations "Default Location" \ --organizations "Default Organization","Sales" \ --operatingsystems "RedHat 6.6","RedHat 7.1","RedHat 7.2","RedHat 6.7" \ --type provision
Add the FIPS Packages snippet.
$ hammer template create --name "fips_packages" \ --file fips_packages.erb \ --locations LOCATIONS \ --organizations ORGANIZATION \ --type snippet
Replace the placeholder values LOCATIONS and ORGANIZATION with the values you noted in Section C.1, “Identifying the Relevant Operating Systems, Locations, and Organizations”. If any value contains non-aphabetical characters, enclose the value in quotation marks (").
The message
Config template created
indicates success.Example
$ hammer template create --name "fips_packages" \ --file fips_packages.erb \ --locations "Default Location" \ --organizations "Default Organization","Sales" \ --type snippet
Update the default Puppet configuration snippet.
$ hammer template update --name puppet.conf \ --file puppet.conf.erb \ --type snippet
The message
Config template created
indicates success.Update the Operating System Object to use the new templates.
Now that the new FIPS templates have been added to Satellite, they must be set as default templates for the desired operating system.
Identify the IDs of the Satellite Kickstart Default FIPS and Kickstart Default PXELinux FIPS templates.
Example
$ hammer template list ---|---------------------------------------|---------- ID | NAME | TYPE ---|---------------------------------------|---------- 41 | redhat_register | snippet 42 | saltstack_minion | snippet 53 | Kickstart Default PXELinux FIPS | PXELinux 46 | Satellite Kickstart Default | provision 48 | Satellite Kickstart Default Finish | finish 54 | Satellite Kickstart Default FIPS | provision 47 | Satellite Kickstart Default User Data | user_data 50 | subscription_manager_registration | snippet 29 | UserData default | user_data 30 | WAIK default PXELinux | PXELinux ---|---------------------------------------|----------
In this example, the IDs are 54 and 53 respectively. These IDs are installation specific.
Specify the FIPS templates as default.
$ hammer os set-default-template --config-template-id TEMPLATE \ --id OS
Replace the placeholders TEMPLATE and OS with the IDs of the FIPS templates, and the desired operating system, noted earlier. Repeat this command for every combination of FIPS template and operating system. It does not accept a comma-separated list of values.
In this example, the FIPS templates are set as default for Red Hat Enterprise Linux 7.2, identified in an earlier example as ID 1.
Example
$ hammer os set-default-template --config-template-id 54 --id 1 $ hammer os set-default-template --config-template-id 53 --id 1
C.3. Change the Provisioning Password Hashing Algorithm
This sets the password hashing algorithm used in provisioning to SHA256. This configuration setting must be applied for each operating system you want to deploy as FIPS compliant.
This is required ONLY if Red Hat Satellite 6 was upgraded from Satellite 6.1. Satellite 6.3 uses SHA256 by default.
Identify the Operating System IDs.
Example
$ hammer os list ---|-----------------|--------------|------- ID | TITLE | RELEASE NAME | FAMILY ---|-----------------|--------------|------- 2 | RedHat 6.6 | | Redhat 3 | RedHat 7.1 | | Redhat 1 | RedHat 7.2 | | Redhat 4 | RedHat 6.7 | | Redhat ---|-----------------|--------------|-------
Update each operating system’s password hash value.
$ hammer os update --title OS \ --password-hash SHA256
Repeat this command for each of the desired operating systems, using the matching value in the
TITLE
column. It does not accept a comma-separated list of values.Example
$ hammer os update --title "RedHat 7.2" \ --password-hash SHA256
C.4. Switching to a FIPS Compliant Message Algorithm for Puppet
On the Satellite Server, all external Capsule Servers, and all existing hosts, configure Puppet to use the SHA256 message digest algorithm.
Edit the /etc/puppet/puppet.conf
file, adding the line digest_algorithm = sha256
in the [main]
stanza.
This change will be overwritten on every upgrade of Satellite, so needs to be reapplied afterward.
Because the Puppet message digest algorithm is changed on the Satellite Server and all Capsule Servers, it must also be changed on all hosts, including those that are not FIPS compliant.
In the event of a message digest algorithm mismatch, the client will download its facts again. This will result in a noticeable increased load on the Satellite Server or external Capsule Servers.
C.5. Setting the FIPS Enabled Parameter
To provision a FIPS compliant host, the FIPS templates require a parameter named fips_enabled to be set to true
. If this is not set to true
, or is absent, the FIPS specific changes will not be applied. This parameter can be specified when provisioning an individual host, or set for a hostgroup. Retrospectively enabling FIPS compliance on a host is outside the scope of this guide and likely to cause problems.
To set this parameter when provisioning a host, append --parameters fips_enabled=true
to the Hammer command.
To set this parameter on an existing host group, use the Hammer sub-command set-parameter
. For more information, see the output of the command hammer hostgroup set-parameter --help
. Any host provisioned to this hostgroup will inherit the fips_enabled parameter from the hostgroup.
Example
$ hammer hostgroup set-parameter --name fips_enabled \ --value true \ --hostgroup prod_servers
C.6. Verifying FIPS Mode is Enabled
To verify these FIPS compliance changes have been successful, you must provision a host and check its configuration.
-
Deploy a host using the FIPS templates, ensuring that parameter named fips_enabled is set to
true
. - Log in to the new host as a root-equivalent account.
-
Enter the command
cat /proc/sys/crypto/fips_enabled
. A value of1
confirms that FIPS mode is enabled.