Federal Information Processing Standards (FIPS)

An administrator can check and enable the system for adherence to Federal Information Processing Standards (FIPS).

Important

The use of FIPS on the system requires a subscription to the Ubuntu Advantage service package from Canonical in order to obtain the necessary cryptographic modules.

A valid subscription to the Ubuntu UA service is required for each individual node. Commands also need to be run on each node.

Internet access will be required from your system - either directly, or via a proxy - to the necessary Ubuntu Advantage service package URLs.

  • All system passwords are stored using FIPS 140-2 complaint encryption algorithms, when FIPS mode is enabled or not.

  • If FIPS is enabled on a system, all install scripts and templates are encrypted and decrypted using FIPS 140-2 complaint encryption algorithms.

To check the system FIPS status, use system ua.

platform@VOSS:~$ system ua status
SERVICE       AVAILABLE  DESCRIPTION
fips          yes        NIST-certified core packages
fips-updates  yes        NIST-certified core packages with priority security updates

This machine is not attached to a UA subscription.
See https://ubuntu.com/advantage

The output above shows that services are available, but are not attached to the current node.

FIPS Enablement Steps

The step by step process to enable FIPS is as follows. Carry out the commands on each node:

  1. Configure the proxy access

  2. Attach the node to the FIPS subscription

  3. Enable FIPS Service

  4. Reboot the node

  5. Repeat the above steps for all the nodes in the cluster

Configure the proxy access

Configure the proxy access if required, if the node is not set up to allowed to access the internet directly - for FIPS package retrieval.

Display the current proxy configuration:

platform@VOSS:~$ system ua config show
http_proxy       None
https_proxy      None
apt_http_proxy   None
apt_https_proxy  None

Set a proxy:

platform@VOSS:~$ system ua config set http_proxy http://192.168.100.25:3128

http_proxy       http://192.168.100.25:3128
https_proxy      None
apt_http_proxy   None
apt_https_proxy  None

Unset a proxy:

platform@VOSS:~$ system ua config unset http_proxy

http_proxy       None
https_proxy      None
apt_http_proxy   None
apt_https_proxy  None

Attach the node to the FIPS subscription

Attach a node to the FIPS subscription with the command: system ua attach.

platform@VOSS:~$ system ua attach
You are about to attach this node to a UA account. Do you wish to continue? y
Please enter the UA account key
Key:
This machine is now attached to 'UA Infrastructure - Essential (Virtual)'

SERVICE       ENTITLED  STATUS    DESCRIPTION
fips          yes       disabled  NIST-certified core packages
fips-updates  yes       disabled  NIST-certified core packages with priority security updates

NOTICES
Operation in progress: ua attach

Enable services with: ua enable <service>

                Account: My Account Name
           Subscription: UA Infrastructure - Essential (Virtual)
            Valid until: YYYY-MM-DD 00:00:00+00:00
Technical support level: essential

platform@VOSS:~$

Note

  • The entered value of Key: is not displayed.

  • The heading now shows as ENTITLED  STATUS.

To detach the UA subscription from a node, thus rendering the node disconnected from further updates, use the system ua detach command on the node.

platform@VOSS:~$ system ua detach
WARNING: Continuing with this command will render this node destroyed



Do you want to continue? y
Detach will disable the following service:
    fips
Updating package lists
A reboot is required to complete disable operation.
This machine is now detached.

You have new mail in /var/mail/platform
platform@VOSS:~$

Important

After a node has been detached from the subscription, critical services will no longer be working on that node.

This command should only be used when the node is no longer in service. Should the node be removed by accident, the fail-over recovery process must be followed to replace that node. The previous instance will have to be detached by removing it on the Ubuntu Advantage customer page.

Enable FIPS Service

After the FIPS subscription has been attached to a node, enable the selected <service> on the node: either fips or fips-updates.

Important

After running the system ua enable <fips|fips-updates> command, a node reboot is required.

  • The enable process will take approximately 15 minutes for enabling fips per node.

  • The enable process will take approximately 30 minutes for enabling fips-updates per node.

Only one of fips or fips-updates can be enabled. Once enabled, the selection cannot be changed.

The required security and versions of packages for FIPS are obtained and installed on the system.

The STATUS column shows the service status.

platform@VOSS:~$ system ua status
SERVICE       ENTITLED  STATUS    DESCRIPTION
fips          yes       enabled   NIST-certified core packages
fips-updates  yes       disabled  NIST-certified core packages with priority security updates

NOTICES
FIPS support requires system reboot to complete configuration.

Enable services with: ua enable <service>

                Account: My Account Name
           Subscription: UA Infrastructure - Essential (Virtual)
            Valid until: YYYY-MM-DD 00:00:00+00:00
Technical support level: essential

platform@VOSS:~$

Upgrading from Release 19.3.x with FIPS enabled

If FIPS was enabled a your system (release 19.3.x) prior to upgrade, note the following:

  • Obtain and run EKB-11024-19.3.4_patch.script.

    1. On the Customer Portal, go to Downloads > VOSS Automate > 19.3.4 > Patches > EKB-11024-19.3.4_patch.

    2. Download EKB-11024-19.3.4_patch.script and follow installation instructions in MOP-EKB-11024-19.3.4_patch.pdf.

  • After system upgrade, any existing FIPS setup is removed and FIPS needs to be re-enabled. No system fips commands are available - FIPS commands are replaced with system ua commands.

  • After system upgrade and before re-enabling FIPS, the voss upgrade_db command cannot be used. A message shows:

    This system was FIPS enabled previously. To proceed, please enable the Ubuntu Advantage
    program first before proceeding with the rest of the upgrade
    To do this, run 'system ua attach' and 'system ua enable <fips|fips-upgrade>'
    
  • Prior to FIPS re-enablement on an upgraded system, obtain the UA account key values for the nodes. These will be used when running system ua attach.

    System logs do not show entered key values - these are displayed as XXXXXXX.

  • During upgrade from release 19.3.x, after the cluster upgrade, cluster check, and security update (if needed) steps, run the FIPS Enablement Steps. Also refer to the Upgrade Guide for general upgrade steps.