.. _reference-system-FIPS: Federal Information Processing Standards (FIPS) ------------------------------------------------ .. index:: system;system ua .. index:: system;system reboot .. _19.3.4-PB2|EKB-8494: .. _21.2|VOSS-883: .. _21.4-PB3|EKB-17294: An administrator can check and enable the system for adherence to Federal Information Processing Standards (FIPS). .. note:: FIPS is not supported in Automate release 25.1. .. important:: The use of FIPS on the system requires a subscription to the *Ubuntu Pro* service package from Canonical in order to obtain the necessary cryptographic modules. See https://ubuntu.com/pro/ A valid subscription to the Ubuntu UA service is required for *each individual node*. Commands also need to be run on *each node*. Internet access will be required from your system - either directly, or via a proxy - to the necessary Ubuntu Pro service package URLs. * All system passwords are stored using FIPS 140-2 complaint encryption algorithms, when FIPS mode is enabled or not. * If FIPS is enabled on a system, all install scripts and templates are encrypted and decrypted using FIPS 140-2 complaint encryption algorithms. To check the system FIPS status, use **system ua**. :: platform@VOSS:~$ system ua status SERVICE AVAILABLE DESCRIPTION fips yes NIST-certified core packages fips-updates yes NIST-certified core packages with priority security updates This machine is not attached to a UA subscription. See https://ubuntu.com/advantage The output above shows that services are available, but are not attached to the current node. .. _fips-enablement-steps: FIPS Enablement Steps ..................... The step by step process to enable FIPS is as follows. Carry out the commands *on each node*: 1. :ref:`fips-config` #. :ref:`fips-attach` #. :ref:`fips-enable` #. Reboot the node #. Repeat the above steps for all the nodes in the cluster .. _fips-config: Configure the proxy access ........................... Configure the proxy access if required, if the node is not set up to allowed to access the internet directly - for FIPS package retrieval. Display the current proxy configuration: :: platform@VOSS:~$ system ua config show http_proxy None https_proxy None ua_apt_http_proxy None ua_apt_https_proxy None global_apt_http_proxy None global_apt_https_proxy None metering_timer 11000 Set a proxy: :: platform@VOSS:~$ system ua config set http_proxy http://192.168.100.25:3128 http_proxy http://192.168.100.25:3128 https_proxy None ua_apt_http_proxy None ua_apt_https_proxy None global_apt_http_proxy None global_apt_https_proxy None Unset a proxy: :: platform@VOSS:~$ system ua config unset http_proxy http_proxy None https_proxy None ua_apt_http_proxy None ua_apt_https_proxy None global_apt_http_proxy None global_apt_https_proxy None .. _fips-attach: Attach the node to the FIPS subscription ........................................ Attach a node to the FIPS subscription with the command: **system ua attach**. :: platform@VOSS:~$ system ua attach You are about to attach this node to a UA account. Do you wish to continue? y Please enter the UA account key Key: This machine is now attached to 'UA Infrastructure - Essential (Virtual)' SERVICE ENTITLED STATUS DESCRIPTION fips yes disabled NIST-certified core packages fips-updates yes disabled NIST-certified core packages with priority security updates NOTICES Operation in progress: ua attach Enable services with: ua enable Account: My Account Name Subscription: UA Infrastructure - Essential (Virtual) Valid until: YYYY-MM-DD 00:00:00+00:00 Technical support level: essential platform@VOSS:~$ .. note:: * The entered value of ``Key:`` is not displayed. * The heading now shows as ``ENTITLED STATUS``. To detach the UA subscription from a node, thus rendering the node disconnected from further updates, use the **system ua detach** command on the node. :: platform@VOSS:~$ system ua detach WARNING: Continuing with this command will render this node destroyed Do you want to continue? y Detach will disable the following service: fips Updating package lists A reboot is required to complete disable operation. This machine is now detached. You have new mail in /var/mail/platform platform@VOSS:~$ .. important:: After a node has been detached from the subscription, critical services will no longer be working on that node. This command should only be used when the node is no longer in service. Should the node be removed by accident, the fail-over recovery process must be followed to replace that node. The previous instance will have to be detached by removing it on the Ubuntu Pro customer page. .. _fips-enable: Enable FIPS Service ................... After the FIPS subscription has been attached to a node, enable the selected ```` on the node: either ``fips`` or ``fips-updates``. .. important:: After running the **system ua enable ** command, a node reboot is required. * The enable process will take approximately 15 minutes for enabling ``fips`` per node. * The enable process will take approximately 30 minutes for enabling ``fips-updates`` per node. Only one of ``fips`` or ``fips-updates`` can be enabled. Once enabled, the selection cannot be changed. The required security and versions of packages for FIPS are obtained and installed on the system. The **STATUS** column shows the service status. :: platform@VOSS:~$ system ua status SERVICE ENTITLED STATUS DESCRIPTION fips yes enabled NIST-certified core packages fips-updates yes disabled NIST-certified core packages with priority security updates NOTICES FIPS support requires system reboot to complete configuration. Enable services with: ua enable Account: My Account Name Subscription: UA Infrastructure - Essential (Virtual) Valid until: YYYY-MM-DD 00:00:00+00:00 Technical support level: essential platform@VOSS:~$ .. _fips-upgrade-to-ua: Upgrading from Release 19.3.x with FIPS enabled ...................................................... If FIPS was enabled a your system (release 19.3.x) *prior* to upgrade, note the following: * Obtain and run ``EKB-11024-19.3.4_patch.script``. 1. On the Customer Portal, go to **Downloads > VOSS Automate > 19.3.4 > Patches > EKB-11024-19.3.4_patch**. 2. Download ``EKB-11024-19.3.4_patch.script`` and follow installation instructions in ``MOP-EKB-11024-19.3.4_patch.pdf``. * After system upgrade, any existing FIPS setup is removed and FIPS needs to be re-enabled. No **system fips** commands are available - FIPS commands are replaced with **system ua** commands. * After system upgrade and before re-enabling FIPS, the **voss upgrade_db** command cannot be used. A message shows: :: This system was FIPS enabled previously. To proceed, please enable the Ubuntu Pro program first before proceeding with the rest of the upgrade To do this, run 'system ua attach' and 'system ua enable ' * Prior to FIPS re-enablement on an upgraded system, obtain the ``UA account key`` values for the nodes. These will be used when running **system ua attach**. System logs do not show entered key values - these are displayed as ``XXXXXXX``. * During upgrade from release 19.3.x, after the **cluster upgrade** and **cluster check** steps, run the :ref:`fips-enablement-steps`. Also refer to the Upgrade Guide for general upgrade steps.