init FIPS documentation #11412
init FIPS documentation #11412
Conversation
Signed-off-by: Igonin <[email protected]> Co-authored-by: Benny Goerzig <[email protected]> Co-authored-by: Karsten Schnitter <[email protected]> Co-authored-by: Kai Sternad <[email protected]>
beanuwave
requested review from
AMoo-Miki,
dlvenable,
epugh,
kolchfa-aws,
natebower and
sumobrian
as code owners
|
Thank you for submitting your PR. The PR states are In progress (or Draft) -> Tech review -> Doc review -> Editorial review -> Merged. Before you submit your PR for doc review, make sure the content is technically accurate. If you need help finding a tech reviewer, tag a maintainer. When you're ready for doc review, tag the assignee of this PR. The doc reviewer may push edits to the PR directly or leave comments and editorial suggestions for you to address (let us know in a comment if you have a preference). The doc reviewer will arrange for an editorial review. |
kolchfa-aws
added
Tech review
|
Thanks, @beanuwave! Could you fix DCO? Maintainers: merging this PR is contingent upon these 2 PRs: opensearch-project/OpenSearch#18921 |
|
@cwperks Could you review this PR? |
|
|
||
| # Getting started with OpenSearch FIPS | ||
|
|
||
| The Federal Information Processing Standard (FIPS) 140-2 is a U.S. government standard that defines security requirements for cryptographic modules. When running OpenSearch in a FIPS-compliant environment, you need to configure the system to use FIPS-validated cryptographic providers. |
There was a problem hiding this comment.
140-2 or 140-3? The core PR shows the 3rd iteration.
There was a problem hiding this comment.
Consider linking to the standard?
|
|
||
| By default, the JVM uses the `cacerts` trust store (typically in PKCS12 format) for SSL/TLS connections, which contains trusted certificate authority (CA) certificates. However, the standard PKCS12 format is not FIPS-compliant. | ||
|
|
||
| OpenSearch includes a FIPS demo installer CLI tool that simplifies the trust store configuration process. This tool is located in `distribution/tools/fips-demo-installer-cli` and provides an automated way to set up a FIPS-compliant trust store by converting the JVM's default trust store to BCFKS format. |
There was a problem hiding this comment.
Is the path to the CLI correct? That's where its located in source code, but in a distribution wouldn't it be in the bin/ folder?
You can run ./gradlew localDistro to create a local distro of the core to confirm.
4 participants
Description
General FIPS requirements section + technical documentation for FIPS CLI demo installer.
Issues Resolved
Resolves RFC
Version
List the OpenSearch version to which this PR applies, e.g. 2.14, 2.12--2.14, or all.
Checklist
For more information on following Developer Certificate of Origin and signing off your commits, please check here.