Red Hat Bugzilla – Bug 1464261
Government site requiring RHV be FIPS compliant/compatible.
Last modified: 2017-06-28 10:56:05 EDT
1. Proposed title of this feature request
FIPS compliance/compatibility with RHEV
2. Who is the customer behind the request?
TAM customer: no
SRM customer: no
Standard RHV but has other Premium Entitlements
3. What is the nature and description of the request?
Site is required to be FIPS compliant with all RHEL STIG systems including those used in RHV.
4. How would the customer like to achieve this? (List the functional requirements here)
There is presently no known documentation specific to RHV if it is or is not presently supported as a function. RHEL has a KCS 176633 which indicates RHEL is provided some changes are made within openssl.
5. Is there already an existing RFE upstream or in Red Hat Bugzilla?
6. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?
Yes this is needed ASAP as they are presently out of compliance, this will impact all Government agency's using RHV with RHEL STIG systems
7. List any affected packages or components.
RHV-M/RHV-H/RHEL-H and possible interaction with RHEL STIG guests.
8. Would the customer be able to assist in testing this functionality if implemented?
Hey Jason -
RHV-H has supported FIPS since 2013. Full STIG compliance is a process, but booting in FIPS mode is supported.
The process here is basically the same as RHEL.
Boot with "fips=1". (dracut-fips is already included). If done as part of the initial install, Anaconda will keep this karg.
OpenSSH/OpenSSL are outside of the scope of this, but are basically the same as RHEL. Any certificates/keys generated with a non-FIPS-compliant cipher/strength will need to be regenerated.