Federal Information Processing Standards (FIPS)#
An administrator can check and enable the system for adherence to Federal Information Processing Standards (FIPS).
Important
The use of FIPS on the system requires a subscription to the Ubuntu Pro service package from Canonical in order to obtain the necessary cryptographic modules.
A valid subscription to the Ubuntu UA service is required for each individual node. Commands also need to be run on each node.
Internet access will be required from your system - either directly, or via a proxy - to the necessary Ubuntu Pro service package URLs.
All system passwords are stored using FIPS 140-2 complaint encryption algorithms, when FIPS mode is enabled or not.
If FIPS is enabled on a system, all install scripts and templates are encrypted and decrypted using FIPS 140-2 complaint encryption algorithms.
To check the system FIPS status, use system ua.
platform@VOSS:~$ system ua status
SERVICE AVAILABLE DESCRIPTION
fips yes NIST-certified core packages
fips-updates yes NIST-certified core packages with priority security updates
This machine is not attached to a UA subscription.
See https://ubuntu.com/advantage
The output above shows that services are available, but are not attached to the current node.
FIPS Enablement Steps#
The step by step process to enable FIPS is as follows. Carry out the commands on each node:
Reboot the node
Repeat the above steps for all the nodes in the cluster
Configure the proxy access#
Configure the proxy access if required, if the node is not set up to allowed to access the internet directly - for FIPS package retrieval.
Display the current proxy configuration:
platform@VOSS:~$ system ua config show
http_proxy None
https_proxy None
ua_apt_http_proxy None
ua_apt_https_proxy None
global_apt_http_proxy None
global_apt_https_proxy None
metering_timer 11000
Set a proxy:
platform@VOSS:~$ system ua config set http_proxy http://192.168.100.25:3128
http_proxy http://192.168.100.25:3128
https_proxy None
ua_apt_http_proxy None
ua_apt_https_proxy None
global_apt_http_proxy None
global_apt_https_proxy None
Unset a proxy:
platform@VOSS:~$ system ua config unset http_proxy
http_proxy None
https_proxy None
ua_apt_http_proxy None
ua_apt_https_proxy None
global_apt_http_proxy None
global_apt_https_proxy None
Attach the node to the FIPS subscription#
Attach a node to the FIPS subscription with the command: system ua attach.
platform@VOSS:~$ system ua attach
You are about to attach this node to a UA account. Do you wish to continue? y
Please enter the UA account key
Key:
This machine is now attached to 'UA Infrastructure - Essential (Virtual)'
SERVICE ENTITLED STATUS DESCRIPTION
fips yes disabled NIST-certified core packages
fips-updates yes disabled NIST-certified core packages with priority security updates
NOTICES
Operation in progress: ua attach
Enable services with: ua enable <service>
Account: My Account Name
Subscription: UA Infrastructure - Essential (Virtual)
Valid until: YYYY-MM-DD 00:00:00+00:00
Technical support level: essential
platform@VOSS:~$
Note
The entered value of
Key:is not displayed.The heading now shows as
ENTITLED STATUS.
To detach the UA subscription from a node, thus rendering the node disconnected from further updates, use the system ua detach command on the node.
platform@VOSS:~$ system ua detach
WARNING: Continuing with this command will render this node destroyed
Do you want to continue? y
Detach will disable the following service:
fips
Updating package lists
A reboot is required to complete disable operation.
This machine is now detached.
You have new mail in /var/mail/platform
platform@VOSS:~$
Important
After a node has been detached from the subscription, critical services will no longer be working on that node.
This command should only be used when the node is no longer in service. Should the node be removed by accident, the fail-over recovery process must be followed to replace that node. The previous instance will have to be detached by removing it on the Ubuntu Pro customer page.
Enable FIPS Service#
After the FIPS subscription has been attached to a node,
enable the selected <service> on the node: either fips or fips-updates.
Important
After running the system ua enable <fips|fips-updates> command, a node reboot is required.
The enable process will take approximately 15 minutes for enabling
fipsper node.The enable process will take approximately 30 minutes for enabling
fips-updatesper node.
Only one of fips or fips-updates can be enabled. Once enabled, the selection cannot be changed.
The required security and versions of packages for FIPS are obtained and installed on the system.
The STATUS column shows the service status.
platform@VOSS:~$ system ua status
SERVICE ENTITLED STATUS DESCRIPTION
fips yes enabled NIST-certified core packages
fips-updates yes disabled NIST-certified core packages with priority security updates
NOTICES
FIPS support requires system reboot to complete configuration.
Enable services with: ua enable <service>
Account: My Account Name
Subscription: UA Infrastructure - Essential (Virtual)
Valid until: YYYY-MM-DD 00:00:00+00:00
Technical support level: essential
platform@VOSS:~$
Upgrading from Release 19.3.x with FIPS enabled#
If FIPS was enabled a your system (release 19.3.x) prior to upgrade, note the following:
Obtain and run
EKB-11024-19.3.4_patch.script.On the Customer Portal, go to Downloads > VOSS Automate > 19.3.4 > Patches > EKB-11024-19.3.4_patch.
Download
EKB-11024-19.3.4_patch.scriptand follow installation instructions inMOP-EKB-11024-19.3.4_patch.pdf.
After system upgrade, any existing FIPS setup is removed and FIPS needs to be re-enabled. No system fips commands are available - FIPS commands are replaced with system ua commands.
After system upgrade and before re-enabling FIPS, the voss upgrade_db command cannot be used. A message shows:
This system was FIPS enabled previously. To proceed, please enable the Ubuntu Pro program first before proceeding with the rest of the upgrade To do this, run 'system ua attach' and 'system ua enable <fips|fips-upgrade>'
Prior to FIPS re-enablement on an upgraded system, obtain the
UA account keyvalues for the nodes. These will be used when running system ua attach.System logs do not show entered key values - these are displayed as
XXXXXXX.During upgrade from release 19.3.x, after the cluster upgrade, cluster check, and security update (if needed) steps, run the FIPS Enablement Steps. Also refer to the Upgrade Guide for general upgrade steps.