init FIPS documentation #11412
init FIPS documentation #11412
Conversation
Signed-off-by: Igonin <[email protected]> Co-authored-by: Benny Goerzig <[email protected]> Co-authored-by: Karsten Schnitter <[email protected]> Co-authored-by: Kai Sternad <[email protected]>
beanuwave
requested review from
AMoo-Miki,
dlvenable,
epugh,
kolchfa-aws,
natebower and
sumobrian
as code owners
|
Thank you for submitting your PR. The PR states are In progress (or Draft) -> Tech review -> Doc review -> Editorial review -> Merged. Before you submit your PR for doc review, make sure the content is technically accurate. If you need help finding a tech reviewer, tag a maintainer. When you're ready for doc review, tag the assignee of this PR. The doc reviewer may push edits to the PR directly or leave comments and editorial suggestions for you to address (let us know in a comment if you have a preference). The doc reviewer will arrange for an editorial review. |
kolchfa-aws
added
Tech review
|
Thanks, @beanuwave! Could you fix DCO? Maintainers: merging this PR is contingent upon these 2 PRs: opensearch-project/OpenSearch#18921 |
|
@cwperks Could you review this PR? |
|
|
||
| # Getting started with OpenSearch FIPS | ||
|
|
||
| The Federal Information Processing Standard (FIPS) 140-2 is a U.S. government standard that defines security requirements for cryptographic modules. When running OpenSearch in a FIPS-compliant environment, you need to configure the system to use FIPS-validated cryptographic providers. |
There was a problem hiding this comment.
140-2 or 140-3? The core PR shows the 3rd iteration.
There was a problem hiding this comment.
Consider linking to the standard?
There was a problem hiding this comment.
this is a crucial point - thank you for pointing it out.
|
|
||
| By default, the JVM uses the `cacerts` trust store (typically in PKCS12 format) for SSL/TLS connections, which contains trusted certificate authority (CA) certificates. However, the standard PKCS12 format is not FIPS-compliant. | ||
|
|
||
| OpenSearch includes a FIPS demo installer CLI tool that simplifies the trust store configuration process. This tool is located in `distribution/tools/fips-demo-installer-cli` and provides an automated way to set up a FIPS-compliant trust store by converting the JVM's default trust store to BCFKS format. |
There was a problem hiding this comment.
Is the path to the CLI correct? That's where its located in source code, but in a distribution wouldn't it be in the bin/ folder?
You can run ./gradlew localDistro to create a local distro of the core to confirm.
There was a problem hiding this comment.
you are right, this is misleading. How about this statement:
OpenSearch includes a FIPS demo installer CLI tool that simplifies the trust store configuration process. The tool provides an automated way to set up a FIPS-compliant trust store by converting the JVM's default trust store to BCFKS format. The project source is available in
distribution/tools/fips-demo-installer-cli.
| - FIPS-validated cryptographic providers for all cryptographic operations (Bouncy Castle FIPS is included with OpenSearch) | ||
| - JVM configured to use these FIPS-validated providers |
There was a problem hiding this comment.
Would this be a good place to point out that the Bouncy Castle libraries are FIPS-certified for specific JDKs, and that may exclude the bundled JDK? Reference https://www.bouncycastle.org/download/bouncy-castle-java-fips/#latest
For example:
There was a problem hiding this comment.
This is very valid information - let's add it. Also I should mention that this version is by no means complete and more specific information should be added in the future. Take the Elasticsearch approach on this for example: https://www.elastic.co/docs/deploy-manage/security/fips-es
|
|
||
| ## FIPS demo installer | ||
|
|
||
| By default, the JVM uses the `cacerts` trust store (typically in PKCS12 format) for SSL/TLS connections, which contains trusted certificate authority (CA) certificates. However, the standard PKCS12 format is not FIPS-compliant. |
There was a problem hiding this comment.
Can this be rephrased slightly to something like "generally considered to not be FIPS-compliant"? Also add something that would say to "Please refer to the FIPS modes supported by your JDK"? And yes, I am banging the drum again on RHEL 😃 https://docs.redhat.com/en/documentation/red_hat_build_of_openjdk/21/html-single/configuring_red_hat_build_of_openjdk_21_on_rhel_with_fips/index#about-fips
There was a problem hiding this comment.
RedHat doesn't deliver custom security SPIs for FIPS compliance. Instead, they use standard OpenJDK with some mechanism on top to restrict which security services can be used.
The actual FIPS-certified SPI we use is Bouncy Castle, and it's more strict. For example, BC FIPS states:
The PKCS12 key store is not available in approved-mode of operation due to the algorithms required for PBE key generation in the PKCS#12 standard.
Source: https://downloads.bouncycastle.org/fips-java/docs/BC-FJA-UserGuide-2.0.0.pdf
The real discussion should be: in which contexts is strict FIPS compliance actually required, and where is the risk of penetration low enough that Red Hat's approach is sufficient?
|
@beanuwave I have moved the getting started with security page into the security section. Please move this page to the same section. Thanks! |
5 participants
Description
General FIPS requirements section + technical documentation for FIPS CLI demo installer.
Issues Resolved
Resolves RFC
Version
List the OpenSearch version to which this PR applies, e.g. 2.14, 2.12--2.14, or all.
Checklist
For more information on following Developer Certificate of Origin and signing off your commits, please check here.