FIPS mode
Last updated
Last updated
According to Wikipedia
Federal Information Processing Standards (FIPS) are publicly announced standards developed by the National Institute of Standards and Technology for use in computer systems by non-military American government agencies and government contractors. FIPS standards are issued to establish requirements for various purposes such as ensuring computer security and interoperability and are intended for cases in which suitable industry standards do not already exist.
In short it is a thoroughly tested and verified set of standards which could be used to implement high level of security. In terms of software we are usually speaking specifically about FIPS 140-2.
ReadonlyREST uses OpenSource BouncyCastle library to provide FIPS 140-2 compliant algorithms.
At the moment, ReadonlyREST can be configured as FIPS compliant only from the "data in transit" standpoint. That is, the SSL encryption of the HTTP and transport interfaces. Other aspects remain to be covered:
Making all cryptographic algorithms FIPS compliant.
Enforcing more strict security policies across whole ROR plugin in FIPS mode.
Prepare keystore and truststore in BCFKS format which is FIPS compliant. Your existing JKS or PKCS12 keystore could be easily converted to BCFKS. Process is described in this section.
BCFKS format is supported only when FIPS mode is enabled. It won't be recognised otherwise.
When using FIPS mode using different password for specific keystore elements is not supported and
key_pass
configuration field is ignored.
Configure readonlyrest.yml to use new keystore and truststore. You will also need to add new configuration parameter fips_mode
. Here's an example:
In case you are using ES >= 7.10 you need to modify $JAVA_HOME/conf/security/java.policy
file and add this section at the end of it. This is required because otherwise Elasticsearch will not be able grant to our plugin all these permissions at the JVM level.
Download the jar with bc-fips library and place it preferably in the same directory where you store keystore files to convert.
Open your terminal and go to directory with the keystore to convert
Use keytool with following parameters to perform the conversion:
where:
SOURCE_KEYSTORE_FILENAME - filename of the keystore(or truststore) that you want to convert.
DEST_KEYSTORE_FILENAME - name of the output file.
SOURCE_KEYSTORE_TYPE - type of keystore to convert. Must be JKS or PKCS12.
DEST_KEYSTORE_TYPE - type of output keystore. Must be BCFKS.
SOURCE_KEYSTORE_PASSWORD - password protecting keystore to convert.
DEST_KEYSTORE_PASSWORD - password protecting output file. If you saved the bc-fips jar in a different path, remember to run it using the appropriate path instead of ./bc-fips-1.0.2.1.jar