[Internal]: Clarify FIPS 140-2 compliance in 9.x versionsΒ #3990
Description
Description
We should try and clarify the Elasticsearch's FIPS 140-2 compliance to point out the supported (tested) vs certified versions of Bouncy Castle. The Elasticsearch guideline is to use Bouncy Castle to achieve FIPS compliance. The Elasticsearch tests with latest 1.x BC FIPS librabry and thus only supports FIPS 140-2.
Our documentation points out that FIPS 140-2 mode requires JDK 17 (Elasticsearch 8.13+) and the Bouncy Castle BCJSSE FIPS security provider, but the JDK 17 is not supported on 9.x versions. That means that ES 9.x versions are not FIPS 140-2 compliant but are tested to work with bc-fips libraries. We should try and clarify that in our 9.x docs. The distinction here is what is supported and what is certified. We test with 1.x bc-fips versions and JDK 21 but that combination is not certified. The latest 140-2 bc-fips certified version is 1.0.2.4 with JDK 17.
It is the responsibility of the user to install and configure the certified security provider to ensure compliance with FIPS 140-2.
As of recent, we upgraded bc-fips to 1.0.2.6. So the docs should be updated to point that out as well.
Resources
https://www.elastic.co/docs/deploy-manage/security/fips-es
Which documentation set does this change impact?
Elastic On-Prem and Cloud (all)
Feature differences
no
What release is this request related to?
9.2
Serverless release
no
Collaboration model
The documentation team
Point of contact.
Main contact: @slobodanadamovic
Stakeholders: @bytebilly @cyrilblanchet-elastic @tvernum