Bug 1170174 - [RFE] Satellite 6 product FIPS mode Compliance
Summary: [RFE] Satellite 6 product FIPS mode Compliance
Alias: None
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Security
Version: 6.3.2
Hardware: All
OS: Linux
high with 9 votes vote
Target Milestone: Released
Assignee: satellite6-bugs
QA Contact: Peter Ondrejka
Depends On: 1552159 1678322
TreeView+ depends on / blocked
Reported: 2014-12-03 13:08 UTC by Jim Lyle
Modified: 2019-10-07 17:17 UTC (History)
65 users (show)

Fixed In Version:
Doc Type: Release Note
Doc Text:
The puppet version we are supplying does include its own openssl library, so it is possible tha MD5 is used in the puppet agent. Second Note: To provision a FIPS machine, the user will need to follow these steps: https://access.redhat.com/documentation/en-us/red_hat_satellite/6.2/html/provisioning_guide/provision_fips_hosts
Clone Of: 843620
Last Closed: 2019-05-14 12:36:15 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:1222 None None None 2019-05-14 12:36:34 UTC
Foreman Issue Tracker 3511 None None None 2017-08-15 17:32:23 UTC
Pulp Redmine 3637 Normal CLOSED - CURRENTRELEASE As a user, I can run pulp in a FIPS-enabled environment 2018-10-09 17:02:08 UTC
Red Hat Knowledge Base (Solution) 2799971 None None None 2016-12-09 06:24:24 UTC

Internal Links: 1671445

Comment 9 Shawn Wells 2017-01-27 22:55:43 UTC
Is there a reason this bug is marked private? I would like to make public - a few customers would like to track this issue.

Comment 15 Rich Jerrido 2017-07-25 20:42:39 UTC
    This comment serves as a sanitized version of Comment #0 (so that the BZ can be made public)

    - Proposed title of this feature request
    Satellite Product FIPS mode Compliance 

    - What is the nature and description of the request?
    Satellite product is not FIPS compliant, customers utilising FIPS environment cannot install and run satellite without disabling FIPS mode.

    -  Why does the customer need this? (List the business requirements here)
    Customer maintains FIPS compliance in their environment.

    -  How would the customer like to achieve this? (List the functional
    requirements here)
    Install Satellite Product with FIPS mode enabled.
    Operate Satellite Product with FIPS mode enabled

    -  For each functional requirement listed in question 5, specify how Red Hat
    and the customer can test to confirm the requirement is successfully
    Satellite Installs properly in FIPS mode
    Satellite operates properly in FIPS mode

    - Is there already an existing RFE upstream or in Red Hat bugzilla?

    - Does the customer have any specific timeline dependencies?

    - List any affected packages or components.
    RH Satellite

    - Would the customer be able to assist in testing this functionality if

Comment 24 Dmitri Dolguikh 2017-11-16 18:42:10 UTC
Please see https://groups.google.com/forum/#!topic/foreman-dev/CZFAY5FQl80 for the discussion of potential approaches.

Comment 26 pulp-infra@redhat.com 2018-06-28 22:03:48 UTC
The Pulp upstream bug status is at NEW. Updating the external tracker on this bug.

Comment 27 pulp-infra@redhat.com 2018-06-28 22:04:03 UTC
The Pulp upstream bug priority is at Normal. Updating the external tracker on this bug.

Comment 28 pulp-infra@redhat.com 2018-10-09 17:02:09 UTC
The Pulp upstream bug status is at CLOSED - CURRENTRELEASE. Updating the external tracker on this bug.

Comment 38 Peter Ondrejka 2019-04-18 12:30:12 UTC
Verified on Satellite 6.5 snap 24. Satellite and Capsule are successfully installed on FIPS-enabled machines, and operate as expected (as per automation)

Comment 40 errata-xmlrpc 2019-05-14 12:36:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Comment 41 Shawn Wells 2019-05-14 15:23:54 UTC
I don't believe this bug should be closed yet.

While Satellite can no operate on a FIPS-enabled RHEL host, has all usage of cryptography been evaluated? Does Satellite only use FIPS-validated crypto libraries, ideally those provided by RHEL (e.g. OpenSSL, or python-cryptography)?

If so, would the Satellite product management team be willing to attest this on formal Red Hat letterhead? This would allow field teams to provide customers with a FIPS attestation letter -- essentially stating that Red Hat Satellite uses FIPS crypto, inherited through other libraries provided by RHEL, and does not need FIPS validation itself.

Note You need to log in before you can comment on or make changes to this bug.