Bug 1850895

Summary: [Doc RFE] Document FIPS support in OCS 4.5
Product: [Red Hat Storage] Red Hat OpenShift Container Storage Reporter: Anjana Suparna Sriram <asriram>
Component: documentationAssignee: Olive Lakra <olakra>
Status: CLOSED CURRENTRELEASE QA Contact: Filip Balák <fbalak>
Severity: high Docs Contact:
Priority: high    
Version: 4.5CC: bkunal, ebenahar, edonnell, etamir, lmauda, ocs-bugs, olakra, ssorce
Target Milestone: ---Keywords: FutureFeature
Target Release: OCS 4.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
.FIPS-140-2 Red Hat OpenShift Container Storage is now using FIPS validated cryptographic modules as delivered by Red Hat Enterprise Linux OS/CoreOS. OpenShift Container Storage is aligned with OpenShift Container Platform as described in its documentation, link:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.5/html-single/installing/index#installing-fips[support for FIPS cryptography]. The cryptography modules are currently being processed by Cryptographic Module Validation Program (CMVP) and their state can be seen at link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/Modules-In-Process/Modules-In-Process-List[Modules in Process List]. For more up-to-date information, see this link:https://access.redhat.com/solutions/307523[knowledge base article]. NOTE: OpenShift Container Platform cluster must use Red Hat Enterprise Linux CoreOS (RHCOS). OpenShift Container Platform deployment on RHEL 7 is not supported for this feature. For more information, see link:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.5/html-single/installing/index#installing-fips-mode_installing-fips[installing a cluster in FIPS mode].
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-20 15:25:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1826399, 1859307    

Comment 9 Simo Sorce 2020-06-28 21:46:39 UTC 
Sorry,
but that language is unacceptable.

The only software that gets validated by NIST are crypto modules.

Please change the phrasing to "uses FIPS validated crypto modules" and probably you want to specify something about the environment "when running on RHEL such and such" ...
Comment 22 Eran Tamir 2020-07-07 16:37:42 UTC 
looks good to me. Thank you Olive, Simo and  Bipin
Comment 23 Filip Balák 2020-07-30 15:04:15 UTC 
Thanks to joined effort of Bipin, Eran, Olive and Simo the documentation looks good. I have just one concern:

@Olive, @Simo
In sentence `The cryptography modules used are currently in "Modules Under Test" state in the certification process.` is link from `certification process` to page https://csrc.nist.gov/Projects/cryptographic-module-validation-program/Modules-In-Process/Modules-In-Process-List.
On the page is no column "Modules Under Test" but most of Red Hat modules are in column "Review Pending". Only Red Hat Enterprise Linux 8 Kernel Crypto API Cryptographic Module is in state "In Review". Shouldn't the sentence be edited accordingly?
Comment 24 Simo Sorce 2020-07-30 16:17:05 UTC 
The status of the modules will change over time and they will eventually disappear from that list entirely as we attain certifications. We should probably avoid mentioning a specific state I guess, and just say something like "the modules are currently being processes by CMVP and their state can be seen at this page <link>".
Comment 26 Filip Balák 2020-08-03 13:19:27 UTC 
The documentation looks good to me. Based on the above discussion, I am moving this BZ to VERIFIED.