init FIPS documentation #11412
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,178 @@ | ||
| --- | ||
| layout: default | ||
| title: Getting started with OpenSearch FIPS | ||
| nav_order: 70 | ||
| --- | ||
|
|
||
| # Getting started with OpenSearch FIPS | ||
|
|
||
| The Federal Information Processing Standard (FIPS) 140-2 is a U.S. government standard that defines security requirements for cryptographic modules. When running OpenSearch in a FIPS-compliant environment, you need to configure the system to use FIPS-validated cryptographic providers. | ||
|
|
||
| To achieve FIPS compliance, OpenSearch requires: | ||
|
|
||
| - FIPS-validated cryptographic providers for all cryptographic operations (Bouncy Castle FIPS is included with OpenSearch) | ||
| - JVM configured to use these FIPS-validated providers | ||
|
Comment on lines
+13
to
+14
There was a problem hiding this comment. Would this be a good place to point out that the Bouncy Castle libraries are FIPS-certified for specific JDKs, and that may exclude the bundled JDK? Reference https://www.bouncycastle.org/download/bouncy-castle-java-fips/#latest For example: There was a problem hiding this comment. This is very valid information - let's add it. Also I should mention that this version is by no means complete and more specific information should be added in the future. Take the Elasticsearch approach on this for example: https://www.elastic.co/docs/deploy-manage/security/fips-es |
||
| - FIPS-compliant key stores and trust stores in BCFKS or PKCS11 format | ||
| - Strong passwords meeting FIPS minimum requirements (112 bits / approximately 14 characters) | ||
|
|
||
| ## FIPS demo installer | ||
|
|
||
| By default, the JVM uses the `cacerts` trust store (typically in PKCS12 format) for SSL/TLS connections, which contains trusted certificate authority (CA) certificates. However, the standard PKCS12 format is not FIPS-compliant. | ||
|
There was a problem hiding this comment. Can this be rephrased slightly to something like "generally considered to not be FIPS-compliant"? Also add something that would say to "Please refer to the FIPS modes supported by your JDK"? And yes, I am banging the drum again on RHEL 😃 https://docs.redhat.com/en/documentation/red_hat_build_of_openjdk/21/html-single/configuring_red_hat_build_of_openjdk_21_on_rhel_with_fips/index#about-fips There was a problem hiding this comment. RedHat doesn't deliver custom security SPIs for FIPS compliance. Instead, they use standard OpenJDK with some mechanism on top to restrict which security services can be used.
Source: https://downloads.bouncycastle.org/fips-java/docs/BC-FJA-UserGuide-2.0.0.pdf The real discussion should be: in which contexts is strict FIPS compliance actually required, and where is the risk of penetration low enough that Red Hat's approach is sufficient? |
||
|
|
||
| OpenSearch includes a FIPS demo installer CLI tool that simplifies the trust store configuration process. This tool is located in `distribution/tools/fips-demo-installer-cli` and provides an automated way to set up a FIPS-compliant trust store by converting the JVM's default trust store to BCFKS format. | ||
|
There was a problem hiding this comment. Is the path to the CLI correct? That's where its located in source code, but in a distribution wouldn't it be in the You can run There was a problem hiding this comment. you are right, this is misleading. How about this statement:
|
||
|
|
||
| This tool is designed for demo and development purposes. Before deploying to production, carefully review all generated configuration and replace demo settings with production-appropriate values. | ||
| {: .warning} | ||
|
|
||
| ### Prerequisites | ||
|
|
||
| Before running the FIPS demo installer, ensure the following: | ||
|
|
||
| - OpenSearch is installed and the installation directory is accessible. | ||
| - You have write permissions to the OpenSearch configuration directory. | ||
| - The `jvm.options` file exists in the configuration directory. | ||
|
|
||
| ### Available commands | ||
|
|
||
| The FIPS demo installer provides the following commands: | ||
|
|
||
| | Command | Description | | ||
| |---------|-------------| | ||
| | `generated` | Generate a new BCFKS trust store from the JVM default trust store | | ||
| | `system` | Use existing system PKCS11 trust store | | ||
| | `show-providers` | Show available security providers and exit (no configuration changes) | | ||
|
|
||
| ### Configuration options | ||
|
|
||
| The FIPS demo installer supports the following command-line options: | ||
|
|
||
| | Option | Description | | ||
| |--------|-------------| | ||
| | `-f`, `--force` | Force configuration even if FIPS settings already exist in jvm.options | | ||
| | `-n`, `--non-interactive` | Run in non-interactive mode (use defaults, no prompts) | | ||
| | `-p`, `--password` | Password for the BCFKS trust store (overrides auto-generated password in non-interactive mode) | | ||
| | `--pkcs11-provider` | Specify a PKCS11 provider name directly (used with `system` command) | | ||
| | `--help` | Display help information for commands | | ||
|
|
||
| ### Non-interactive mode | ||
|
|
||
| To run the installer in non-interactive mode for automated deployments, use the `-n` or `--non-interactive` flag: | ||
|
|
||
| ``` | ||
| ./bin/opensearch-fips-demo-installer -n | ||
| ``` | ||
| {% include copy.html %} | ||
|
|
||
| The non-interactive mode runs without prompts and automatically performs the following: | ||
|
|
||
| - Defaults to generating a new BCFKS trust store | ||
| - Auto-confirms all prompts | ||
| - Generates a secure 24-character password (or uses one specified with `-p`) | ||
| - Selects the first available PKCS11 provider when using the `system` command | ||
|
|
||
| Non-interactive mode is ideal for automated provisioning scripts and configuration management tools. | ||
| {: .note} | ||
|
|
||
| ### Examples | ||
|
|
||
| Here are some common command variations for the FIPS demo installer: | ||
|
|
||
| On Windows, use `opensearch-fips-demo-installer.bat` instead of the shell script. | ||
| {: .note} | ||
|
|
||
| ```bash | ||
| # Interactive mode (prompts for all choices) | ||
| ./bin/opensearch-fips-demo-installer | ||
|
|
||
| # Non-interactive mode with auto-generated password - overrides existing FIPS configuration | ||
| ./bin/opensearch-fips-demo-installer -n -f | ||
|
|
||
| # Generate BCFKS trust store with custom password | ||
| ./bin/opensearch-fips-demo-installer generated -p "MySecurePassword123!" | ||
|
|
||
| # Use system PKCS11 trust store with specific provider | ||
| ./bin/opensearch-fips-demo-installer system --pkcs11-provider YourPKCS11-Provider | ||
| ``` | ||
| {% include copy.html %} | ||
|
|
||
| ### Configuration output | ||
|
|
||
| After running the FIPS demo installer, the following properties are added to your `jvm.options` file: | ||
|
|
||
| ``` | ||
| ################################################################ | ||
| ## Start OpenSearch FIPS Demo Configuration | ||
| ## WARNING: revise all the lines below before you go into production | ||
| ################################################################ | ||
| -Djavax.net.ssl.trustStore=/path/to/opensearch/config/opensearch-fips-truststore.bcfks | ||
| -Djavax.net.ssl.trustStorePassword=<your-password> | ||
| -Djavax.net.ssl.trustStoreType=BCFKS | ||
| -Djavax.net.ssl.trustStoreProvider=BCFIPS | ||
| ################################################################ | ||
| ``` | ||
|
|
||
| These properties configure the JVM to use the FIPS-compliant trust store for all SSL/TLS connections if no other trust store is defined. | ||
|
|
||
| ## Troubleshooting FIPS | ||
|
|
||
| This section covers common issues when running OpenSearch in FIPS mode. | ||
|
|
||
| ### Trust store type not specified | ||
|
|
||
| ``` | ||
| Trust store type must be specified using the '-Djavax.net.ssl.trustStoreType' JVM option. Accepted values are PKCS11 and BCFKS. | ||
| ``` | ||
|
|
||
| This error indicates that the FIPS trust store configuration is incomplete or missing from `jvm.options`. To resolve this issue: | ||
|
|
||
| - Verify that you have run the FIPS demo installer successfully. | ||
| - Check that `jvm.options` contains the FIPS trust store configuration block. | ||
|
|
||
| ### Trust store file not found | ||
|
|
||
| If you see an error indicating the trust store file cannot be found, verify that: | ||
|
|
||
| - The path in `jvm.options` is correct and absolute. | ||
| - The trust store file exists at the specified location. | ||
| - OpenSearch has read permissions for the trust store file. | ||
|
|
||
| ### Certificate conversion failures | ||
|
|
||
| Some certificates in the JVM default trust store may not be compatible with BCFKS format. The installer will report how many certificates were successfully converted. Review the output to ensure critical certificates were converted successfully. | ||
|
|
||
| ### Keystore password too weak for FIPS mode | ||
|
|
||
| If OpenSearch fails to start with the error: | ||
|
|
||
| ``` | ||
| org.bouncycastle.crypto.fips.FipsUnapprovedOperationError: password must be at least 112 bits | ||
| ``` | ||
|
|
||
| This error occurs when the [OpenSearch keystore]({{site.url}}{{site.baseurl}}/install-and-configure/configuring-opensearch/security-settings/#password-protection) `$OPENSEARCH_HOME/config/opensearch.keystore` has a password that does not meet FIPS requirements. In FIPS mode, Bouncy Castle enforces a minimum password strength of 112 bits, which is approximately 14 characters. | ||
|
|
||
| Because FIPS mode is already active, the `opensearch-keystore passwd` command will not accept the existing weak password. The workaround is to recreate the keystore: | ||
|
|
||
| ```bash | ||
| # List existing secrets for backup (if needed) | ||
| ./bin/opensearch-keystore list | ||
|
|
||
| # Create a new keystore with a FIPS-compliant password (at least 14 characters) | ||
| ./bin/opensearch-keystore create --password | ||
|
|
||
| # Re-add any secrets that were stored in the old keystore (if needed) | ||
| ./bin/opensearch-keystore add <setting-name> | ||
| ``` | ||
| {% include copy.html %} | ||
|
|
||
| Ensure your new password is at least 14 characters long and includes a mix of uppercase, lowercase, numbers, and special characters. For security best practices, consider using a password manager to generate and store complex passwords. | ||
| {: .note} | ||
|
|
||
| ## Next steps | ||
|
|
||
| After configuring FIPS mode for OpenSearch: | ||
|
|
||
| - Review the [Security configuration]({{site.url}}{{site.baseurl}}/security/configuration/index/) guide for additional security settings. | ||
| - Configure [TLS certificates]({{site.url}}{{site.baseurl}}/security/configuration/tls/) for node-to-node and client-to-node encryption. | ||
| - Set up [authentication and authorization]({{site.url}}{{site.baseurl}}/security/configuration/configuration/) for your cluster. | ||
| - Review [Best practices for OpenSearch security]({{site.url}}{{site.baseurl}}/security/configuration/best-practices/) for comprehensive security guidance. | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
140-2 or 140-3? The core PR shows the 3rd iteration.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consider linking to the standard?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is a crucial point - thank you for pointing it out.