Bug 1464261 - Government site requiring RHV be FIPS compliant/compatible.
Government site requiring RHV be FIPS compliant/compatible.
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: rhev-hypervisor (Show other bugs)
Unspecified Unspecified
unspecified Severity high
: ---
: ---
Assigned To: Douglas Schilling Landgraf
Virtualization Bugs
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2017-06-22 16:05 EDT by Jason
Modified: 2017-06-28 10:56 EDT (History)
16 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-06-26 06:50:12 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jason 2017-06-22 16:05:46 EDT
1. Proposed title of this feature request

FIPS compliance/compatibility with RHEV

2. Who is the customer behind the request?

Government site.

TAM customer: no

SRM customer: no

Strategic: no

Standard RHV but has other Premium Entitlements

3. What is the nature and description of the request?

Site is required to be FIPS compliant with all RHEL STIG systems including those used in RHV. 

4. How would the customer like to achieve this? (List the functional requirements here)

There is presently no known documentation specific to RHV if it is or is not presently supported as a function. RHEL has a KCS 176633 which indicates RHEL is provided some changes are made within openssl. 

5. Is there already an existing RFE upstream or in Red Hat Bugzilla?

None found

6. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?

Yes this is needed ASAP as they are presently out of compliance, this will impact all Government agency's using RHV with RHEL STIG systems

7. List any affected packages or components.

RHV-M/RHV-H/RHEL-H and possible interaction with RHEL STIG guests.

8. Would the customer be able to assist in testing this functionality if implemented?

Most likely.
Comment 2 Ryan Barry 2017-06-26 06:50:12 EDT
Hey Jason -

RHV-H has supported FIPS since 2013. Full STIG compliance is a process, but booting in FIPS mode is supported.
Comment 4 Ryan Barry 2017-06-28 10:56:05 EDT
The process here is basically the same as RHEL.

Boot with "fips=1". (dracut-fips is already included). If done as part of the initial install, Anaconda will keep this karg.

OpenSSH/OpenSSL are outside of the scope of this, but are basically the same as RHEL. Any certificates/keys generated with a non-FIPS-compliant cipher/strength will need to be regenerated.

Note You need to log in before you can comment on or make changes to this bug.