Is there a reason this bug is marked private? I would like to make public - a few customers would like to track this issue.
This comment serves as a sanitized version of Comment #0 (so that the BZ can be made public) - Proposed title of this feature request Satellite Product FIPS mode Compliance - What is the nature and description of the request? Satellite product is not FIPS compliant, customers utilising FIPS environment cannot install and run satellite without disabling FIPS mode. - Why does the customer need this? (List the business requirements here) Customer maintains FIPS compliance in their environment. - How would the customer like to achieve this? (List the functional requirements here) Install Satellite Product with FIPS mode enabled. Operate Satellite Product with FIPS mode enabled - For each functional requirement listed in question 5, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented. Satellite Installs properly in FIPS mode Satellite operates properly in FIPS mode - Is there already an existing RFE upstream or in Red Hat bugzilla? No - Does the customer have any specific timeline dependencies? ASAP - List any affected packages or components. RH Satellite - Would the customer be able to assist in testing this functionality if implemented? Yes
Please see https://groups.google.com/forum/#!topic/foreman-dev/CZFAY5FQl80 for the discussion of potential approaches.
The Pulp upstream bug status is at NEW. Updating the external tracker on this bug.
The Pulp upstream bug priority is at Normal. Updating the external tracker on this bug.
The Pulp upstream bug status is at CLOSED - CURRENTRELEASE. Updating the external tracker on this bug.
Verified on Satellite 6.5 snap 24. Satellite and Capsule are successfully installed on FIPS-enabled machines, and operate as expected (as per automation)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:1222
I don't believe this bug should be closed yet. While Satellite can no operate on a FIPS-enabled RHEL host, has all usage of cryptography been evaluated? Does Satellite only use FIPS-validated crypto libraries, ideally those provided by RHEL (e.g. OpenSSL, or python-cryptography)? If so, would the Satellite product management team be willing to attest this on formal Red Hat letterhead? This would allow field teams to provide customers with a FIPS attestation letter -- essentially stating that Red Hat Satellite uses FIPS crypto, inherited through other libraries provided by RHEL, and does not need FIPS validation itself.