此内容没有您所选择的语言版本。
Chapter 4. Federal Information Processing Standard on Red Hat OpenStack Services on OpenShift
The Federal Information Processing Standards (FIPS) is a set of security requirements developed by the National Institute of Standards and Technology (NIST). In Red Hat Enterprise Linux 9, the supported standard is FIPS publication 140-3: Security Requirements for Cryptographic Modules. For details about the supported standard, see the Federal Information Processing Standards Publication 140-3.
FIPS 140-3 validated cryptographic modules are cryptographic libraries that have completed the NIST CMVP process and have received a certificate from NIST. For current information on Red Hat FIPS 140 validated modules, see Compliance Activities and Government Standards.
When you use the system-wide cryptographic policy, FIPS 140 mode, RHEL and CoreOS are designed to restrict the use of core cryptographic modules and libraries to those that have been FIPS-validated. Paramiko however, implements cryptographic functions in code, and has not been FIPS-validated. RHOSO core components use the RHEL cryptographic libraries submitted to NIST for FIPS validation unless they call paramiko.
When you deploy RHOSO on a FIPS-enabled RHOCP cluster, iSCSI MD5 is disabled.
4.1. Verification of FIPS status
You can check the FIPS status of RHOCP or deployed worker nodes.
Procedure
On your workstation, log into your RHOCP cluster with an account with
cluster-adminprivileges:$ oc login -u <username> -p <password> <url>
- Replace <username> with your user name.
- Replace <password> with your password.
- Replace <url> the API URL of your RHOCP cluster.
Get a list of the nodes in the cluster:
$ oc get nodes
Example output:
NAME STATUS ROLES AGE VERSION master1 Ready control-plane,master 7d1h v1.28.6+6216ea1 master2 Ready control-plane,master 7d1h v1.28.6+6216ea1 master3 Ready control-plane,master 7d1h v1.28.6+6216ea1 worker1 Ready worker 7d1h v1.28.6+6216ea1 worker2 Ready worker 7d1h v1.28.6+6216ea1 worker3 Ready worker
Open a debug pod on one of the nodes shown in the output of the previous step:
$ oc debug node/worker2
Example output:
Temporary namespace openshift-debug-rq2m8 is created for debugging node... Starting pod/worker2-debug-5shqt ... To use host binaries, run `chroot /host` Pod IP: 192.168.50.112 If you don't see a command prompt, try pressing enter. ssh-4.4#
Check for
fips_enabledin/procssh-4.4# cat /proc/sys/crypto/fips_enabled
Example output.
1is displayed for enabled,0for disabled:1
For more information about installing Red Hat OpenShift Cluster Platform in FIPS mode, see Support for FIPS cryptography.
