Bug 1170174

Summary: [RFE] Satellite 6 product FIPS mode Compliance
Product: Red Hat Satellite Reporter: Jim Lyle <jlyle>
Component: SecurityAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED ERRATA QA Contact: Peter Ondrejka <pondrejk>
Severity: high Docs Contact:
Priority: urgent    
Version: 6.3.2CC: afarley, agilmore, ajambhul, akaiser, apraythe, asanders, bchampion, bhoefer, bkearney, bmbouter, bmidwood, brcoca, brian.vianzon, casmith, cdonnell, chenders, creynold, daviddavis, degts, dkliban, dmitri, dojones, dsinglet, dsirrine, dsynk, ehelms, ggainey, gpayelka, ipanova, janarula, jbhatia, jduncan, jforeman, jlyle, kdixon, ktordeur, kupadhya, mellisa.brown.ctr, mfw113, mihood, mkalyat, mmccune, msuzadai, mvanderw, mverma, mzazrivec, nshaik, omoris, patalber, pmutha, ptrivedi, rajgupta, rbertolj, rchan, rjerrido, rnelson, sadas, satellite6-bugs, satqe-list, smercurio, sullivan.scott.ctr, swells, tbrisker, tbrunell, ttereshc, unwosu, vgunasek, wnix
Target Milestone: 6.5.0Keywords: FutureFeature, Security
Target Release: Unused   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Release Note
Doc Text:
The puppet version we are supplying does include its own openssl library, so it is possible tha MD5 is used in the puppet agent. Second Note: To provision a FIPS machine, the user will need to follow these steps: https://access.redhat.com/documentation/en-us/red_hat_satellite/6.2/html/provisioning_guide/provision_fips_hosts
 Story Points: ---
Clone Of: 843620 Environment:
Last Closed: 2019-05-14 12:36:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1552159, 1678322    
Bug Blocks:    

Comment 9 Shawn Wells 2017-01-27 22:55:43 UTC 
Is there a reason this bug is marked private? I would like to make public - a few customers would like to track this issue.
Comment 15 Rich Jerrido 2017-07-25 20:42:39 UTC 
    This comment serves as a sanitized version of Comment #0 (so that the BZ can be made public)


    - Proposed title of this feature request
    Satellite Product FIPS mode Compliance 

    - What is the nature and description of the request?
    Satellite product is not FIPS compliant, customers utilising FIPS environment cannot install and run satellite without disabling FIPS mode.

    -  Why does the customer need this? (List the business requirements here)
    Customer maintains FIPS compliance in their environment.

    -  How would the customer like to achieve this? (List the functional
    requirements here)
    Install Satellite Product with FIPS mode enabled.
    Operate Satellite Product with FIPS mode enabled

    -  For each functional requirement listed in question 5, specify how Red Hat
    and the customer can test to confirm the requirement is successfully
    implemented.
    Satellite Installs properly in FIPS mode
    Satellite operates properly in FIPS mode


    - Is there already an existing RFE upstream or in Red Hat bugzilla?
    No

    - Does the customer have any specific timeline dependencies?
    ASAP

    - List any affected packages or components.
    RH Satellite

    - Would the customer be able to assist in testing this functionality if
    implemented?
    Yes
Comment 24 Dmitri Dolguikh 2017-11-16 18:42:10 UTC 
Please see https://groups.google.com/forum/#!topic/foreman-dev/CZFAY5FQl80 for the discussion of potential approaches.
Comment 26 pulp-infra@redhat.com 2018-06-28 22:03:48 UTC 
The Pulp upstream bug status is at NEW. Updating the external tracker on this bug.
Comment 27 pulp-infra@redhat.com 2018-06-28 22:04:03 UTC 
The Pulp upstream bug priority is at Normal. Updating the external tracker on this bug.
Comment 28 pulp-infra@redhat.com 2018-10-09 17:02:09 UTC 
The Pulp upstream bug status is at CLOSED - CURRENTRELEASE. Updating the external tracker on this bug.
Comment 38 Peter Ondrejka 2019-04-18 12:30:12 UTC 
Verified on Satellite 6.5 snap 24. Satellite and Capsule are successfully installed on FIPS-enabled machines, and operate as expected (as per automation)
Comment 40 errata-xmlrpc 2019-05-14 12:36:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:1222
Comment 41 Shawn Wells 2019-05-14 15:23:54 UTC 
I don't believe this bug should be closed yet.

While Satellite can no operate on a FIPS-enabled RHEL host, has all usage of cryptography been evaluated? Does Satellite only use FIPS-validated crypto libraries, ideally those provided by RHEL (e.g. OpenSSL, or python-cryptography)?

If so, would the Satellite product management team be willing to attest this on formal Red Hat letterhead? This would allow field teams to provide customers with a FIPS attestation letter -- essentially stating that Red Hat Satellite uses FIPS crypto, inherited through other libraries provided by RHEL, and does not need FIPS validation itself.