此内容没有您所选择的语言版本。

Appendix C. Provisioning FIPS Compliant Hosts


Red Hat Satellite 6 supports provisioning hosts that comply with the National Institute of Standards and Technology’s Security Requirements for Cryptographic Modules standard, reference number FIPS 140-2, referred to here as FIPS.

Red Hat Satellite 6 is not supported on a FIPS enabled host.

To enable the provisioning of hosts that are FIPS compliant, complete the following changes:

  • Identify the relevant operating systems, locations, and organizations
  • Create and enable the FIPS provisioning templates
  • Change the provisioning password hashing algorithm
  • Change the Puppet message digest algorithm
  • Set the FIPS enabled parameter

When these changes are complete, the new provisioning templates will be associated with those operating systems, locations, and organizations you specify. When you provision a host to those operating systems, locations, and organizations, the host will have the FIPS-compliant settings applied. To confirm that these settings have been successful, complete the steps in Section C.6, “Verifying FIPS Mode is Enabled”.

Prerequisites

  • Complete the configuration steps from the Authentication section in the Hammer CLI Guide. This allows you to run Hammer commands without providing your Satellite username and password each time.

C.1. Identifying the Relevant Operating Systems, Locations, and Organizations

Before creating the FIPS-compliant templates in Satellite, you must identify those locations, organizations and operating systems to which you want to deploy FIPS-compliant hosts. For example, if you will only deploy Red Hat Enterprise Linux 7 hosts as FIPS compliant, associate the template with only Red Hat Enterprise Linux 7.

  1. List all locations.

    Example

    $ hammer location list
    ---|-----------------
    ID | NAME
    ---|-----------------
    2  | Default Location
    ---|-----------------

    Note the value in the NAME column of those locations to which you want to deploy FIPS-compliant hosts.

  2. List all organizations.

    Example

    ---|----------------------|----------------------|------------
    ID | NAME                 | LABEL                | DESCRIPTION
    ---|----------------------|----------------------|------------
    1  | Default Organization | Default_Organization |
    2  | Sales                | Sales_Department     |
    ---|----------------------|----------------------|------------

    Note the value in the NAME column of those organizations to which you want to deploy FIPS-compliant hosts.

  3. List all operating systems.

    Example

    $ hammer os list
    ---|-----------------|--------------|-------
    ID | TITLE           | RELEASE NAME | FAMILY
    ---|-----------------|--------------|-------
    2  | RedHat 6.6      |              | Redhat
    3  | RedHat 7.1      |              | Redhat
    1  | RedHat 7.2      |              | Redhat
    4  | RedHat 6.7      |              | Redhat
    ---|-----------------|--------------|-------

    Note the value in the TITLE column of those operating systems to which you want to deploy FIPS-compliant hosts.

C.2. Creating and Enabling the FIPS Provisioning Templates

The FIPS provisioning templates are provided in a git repository. In this procedure you import them into the Satellite environment, then associate them with the desired operating systems, locations, and organizations.

  1. On the Satellite Server, clone the git repository containing the FIPS enabled templates, then change into the repository’s directory.

    $ git clone https://github.com/RedHatSatellite/satellite6-fips-client
    $ cd satellite6-fips-client

    This repository contains the following Embedded RuBy (ERB) templates. These are plain text files, which you can view to see in detail the configuration settings they contain.

    • Kickstart_Default_PXELinux_FIPS.erb

      • Updated PXELinux template
    • fips_packages.erb

      • Packages required by FIPS mode (for example, dracut-fips)
    • Satellite_Kickstart_Default_FIPS.erb

      • Kickstart template with modifications to call the fips_packages snippet
    • puppet.conf.erb

      • Updated puppet.conf configuration file with updated (SHA256) message digest algorithm
  2. Add the PXELinux FIPS template.

    $ hammer template create  --name "Kickstart Default PXELinux FIPS" \
      --file Kickstart_Default_PXELinux_FIPS.erb  \
      --locations LOCATIONS \
      --organizations ORGANIZATION \
      --operatingsystems OS \
      --type PXELinux

    Replace the placeholder values LOCATIONS, ORGANIZATION, and OS with the values you noted in Section C.1, “Identifying the Relevant Operating Systems, Locations, and Organizations”. If any value contains non-aphabetical characters, enclose the value in quotation marks (").

    The message Config template created indicates success.

    Example

    $ hammer template create  --name "Kickstart Default PXELinux FIPS" \
      --file Kickstart_Default_PXELinux_FIPS.erb \
      --locations "Default Location" \
      --organizations "Default Organization","Sales" \
      --operatingsystems "RedHat 6.6","RedHat 7.1","RedHat 7.2","RedHat 6.7" \
      --type PXELinux

  3. Add the Satellite Kickstart Default FIPS template.

    $ hammer template create  --name "Satellite Kickstart Default FIPS" \
      --file Satellite_Kickstart_Default_FIPS.erb  \
      --locations LOCATIONS \
      --organizations ORGANIZATION \
      --operatingsystems OS \
      --type provision

    Replace the placeholder values LOCATIONS, ORGANIZATION, and OS with the values you noted in Section C.1, “Identifying the Relevant Operating Systems, Locations, and Organizations”. If any value contains non-aphabetical characters, enclose the value in quotation marks (").

    The message Config template created indicates success.

    Example

    $ hammer template create  --name "Satellite Kickstart Default FIPS" \
      --file Satellite_Kickstart_Default_FIPS.erb  \
      --locations "Default Location" \
      --organizations "Default Organization","Sales" \
      --operatingsystems "RedHat 6.6","RedHat 7.1","RedHat 7.2","RedHat 6.7" \
      --type provision

  4. Add the FIPS Packages snippet.

    $ hammer template create  --name "fips_packages" \
      --file fips_packages.erb \
      --locations LOCATIONS \
      --organizations ORGANIZATION \
      --type snippet

    Replace the placeholder values LOCATIONS and ORGANIZATION with the values you noted in Section C.1, “Identifying the Relevant Operating Systems, Locations, and Organizations”. If any value contains non-aphabetical characters, enclose the value in quotation marks (").

    The message Config template created indicates success.

    Example

    $ hammer template create  --name "fips_packages" \
      --file fips_packages.erb \
      --locations "Default Location" \
      --organizations "Default Organization","Sales" \
      --type snippet

  5. Update the default Puppet configuration snippet.

    $ hammer template update --name puppet.conf \
      --file puppet.conf.erb  \
      --type snippet

    The message Config template created indicates success.

  6. Update the Operating System Object to use the new templates.

    Now that the new FIPS templates have been added to Satellite, they must be set as default templates for the desired operating system.

    1. Identify the IDs of the Satellite Kickstart Default FIPS and Kickstart Default PXELinux FIPS templates.

      Example

      $ hammer template list
      ---|---------------------------------------|----------
      ID | NAME                                  | TYPE
      ---|---------------------------------------|----------
      41 | redhat_register                       | snippet
      42 | saltstack_minion                      | snippet
      53 | Kickstart Default PXELinux FIPS       | PXELinux
      46 | Satellite Kickstart Default           | provision
      48 | Satellite Kickstart Default Finish    | finish
      54 | Satellite Kickstart Default FIPS      | provision
      47 | Satellite Kickstart Default User Data | user_data
      50 | subscription_manager_registration     | snippet
      29 | UserData default                      | user_data
      30 | WAIK default PXELinux                 | PXELinux
      ---|---------------------------------------|----------

      In this example, the IDs are 54 and 53 respectively. These IDs are installation specific.

    2. Specify the FIPS templates as default.

      $ hammer os set-default-template --config-template-id TEMPLATE \
      --id OS

      Replace the placeholders TEMPLATE and OS with the IDs of the FIPS templates, and the desired operating system, noted earlier. Repeat this command for every combination of FIPS template and operating system. It does not accept a comma-separated list of values.

      In this example, the FIPS templates are set as default for Red Hat Enterprise Linux 7.2, identified in an earlier example as ID 1.

      Example

      $ hammer os set-default-template --config-template-id 54 --id 1
      $ hammer os set-default-template --config-template-id 53 --id 1

C.3. Change the Provisioning Password Hashing Algorithm

This sets the password hashing algorithm used in provisioning to SHA256. This configuration setting must be applied for each operating system you want to deploy as FIPS compliant.

Note

This is required ONLY if Red Hat Satellite 6 was upgraded from Satellite 6.1. Satellite 6.3 uses SHA256 by default.

  1. Identify the Operating System IDs.

    Example

    $ hammer os list
    ---|-----------------|--------------|-------
    ID | TITLE           | RELEASE NAME | FAMILY
    ---|-----------------|--------------|-------
    2  | RedHat 6.6      |              | Redhat
    3  | RedHat 7.1      |              | Redhat
    1  | RedHat 7.2      |              | Redhat
    4  | RedHat 6.7      |              | Redhat
    ---|-----------------|--------------|-------

  2. Update each operating system’s password hash value.

    $ hammer os update --title OS \
      --password-hash SHA256

    Repeat this command for each of the desired operating systems, using the matching value in the TITLE column. It does not accept a comma-separated list of values.

    Example

    $ hammer os update --title "RedHat 7.2" \
      --password-hash SHA256

C.4. Switching to a FIPS Compliant Message Algorithm for Puppet

On the Satellite Server, all external Capsule Servers, and all existing hosts, configure Puppet to use the SHA256 message digest algorithm.

Edit the /etc/puppet/puppet.conf file, adding the line digest_algorithm = sha256 in the [main] stanza.

Note

This change will be overwritten on every upgrade of Satellite, so needs to be reapplied afterward.

Because the Puppet message digest algorithm is changed on the Satellite Server and all Capsule Servers, it must also be changed on all hosts, including those that are not FIPS compliant.

In the event of a message digest algorithm mismatch, the client will download its facts again. This will result in a noticeable increased load on the Satellite Server or external Capsule Servers.

C.5. Setting the FIPS Enabled Parameter

To provision a FIPS compliant host, the FIPS templates require a parameter named fips_enabled to be set to true. If this is not set to true, or is absent, the FIPS specific changes will not be applied. This parameter can be specified when provisioning an individual host, or set for a hostgroup. Retrospectively enabling FIPS compliance on a host is outside the scope of this guide and likely to cause problems.

To set this parameter when provisioning a host, append --parameters fips_enabled=true to the Hammer command.

To set this parameter on an existing host group, use the Hammer sub-command set-parameter. For more information, see the output of the command hammer hostgroup set-parameter --help. Any host provisioned to this hostgroup will inherit the fips_enabled parameter from the hostgroup.

Example

$ hammer hostgroup set-parameter --name fips_enabled \
 --value true \
 --hostgroup prod_servers

C.6. Verifying FIPS Mode is Enabled

To verify these FIPS compliance changes have been successful, you must provision a host and check its configuration.

  1. Deploy a host using the FIPS templates, ensuring that parameter named fips_enabled is set to true.
  2. Log in to the new host as a root-equivalent account.
  3. Enter the command cat /proc/sys/crypto/fips_enabled. A value of 1 confirms that FIPS mode is enabled.
Red Hat logoGithubRedditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

© 2024 Red Hat, Inc.