1850895 – [Doc RFE] Document FIPS support in OCS 4.5

Bug 1850895 - [Doc RFE] Document FIPS support in OCS 4.5

Summary: [Doc RFE] Document FIPS support in OCS 4.5

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat OpenShift Container Storage
Classification:	Red Hat Storage
Component:	documentation
Sub Component:
Version:	4.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	OCS 4.5.0
Assignee:	Olive Lakra
QA Contact:	Filip Balák
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1826399 1859307
TreeView+	depends on / blocked

Reported:	2020-06-25 06:21 UTC by Anjana Suparna Sriram
Modified:	2020-09-20 15:25 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:	.FIPS-140-2 Red Hat OpenShift Container Storage is now using FIPS validated cryptographic modules as delivered by Red Hat Enterprise Linux OS/CoreOS. OpenShift Container Storage is aligned with OpenShift Container Platform as described in its documentation, link:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.5/html-single/installing/index#installing-fips[support for FIPS cryptography]. The cryptography modules are currently being processed by Cryptographic Module Validation Program (CMVP) and their state can be seen at link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/Modules-In-Process/Modules-In-Process-List[Modules in Process List]. For more up-to-date information, see this link:https://access.redhat.com/solutions/307523[knowledge base article]. NOTE: OpenShift Container Platform cluster must use Red Hat Enterprise Linux CoreOS (RHCOS). OpenShift Container Platform deployment on RHEL 7 is not supported for this feature. For more information, see link:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.5/html-single/installing/index#installing-fips-mode_installing-fips[installing a cluster in FIPS mode].
Clone Of:
Environment:
Last Closed:	2020-09-20 15:25:11 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Comment 9 Simo Sorce 2020-06-28 21:46:39 UTC

Sorry,
but that language is unacceptable.

The only software that gets validated by NIST are crypto modules.

Please change the phrasing to "uses FIPS validated crypto modules" and probably you want to specify something about the environment "when running on RHEL such and such" ...

Comment 22 Eran Tamir 2020-07-07 16:37:42 UTC

looks good to me. Thank you Olive, Simo and  Bipin

Comment 23 Filip Balák 2020-07-30 15:04:15 UTC

Thanks to joined effort of Bipin, Eran, Olive and Simo the documentation looks good. I have just one concern:

@Olive, @Simo
In sentence `The cryptography modules used are currently in "Modules Under Test" state in the certification process.` is link from `certification process` to page https://csrc.nist.gov/Projects/cryptographic-module-validation-program/Modules-In-Process/Modules-In-Process-List.
On the page is no column "Modules Under Test" but most of Red Hat modules are in column "Review Pending". Only Red Hat Enterprise Linux 8 Kernel Crypto API Cryptographic Module is in state "In Review". Shouldn't the sentence be edited accordingly?

Comment 24 Simo Sorce 2020-07-30 16:17:05 UTC

The status of the modules will change over time and they will eventually disappear from that list entirely as we attain certifications. We should probably avoid mentioning a specific state I guess, and just say something like "the modules are currently being processes by CMVP and their state can be seen at this page <link>".

Comment 26 Filip Balák 2020-08-03 13:19:27 UTC

The documentation looks good to me. Based on the above discussion, I am moving this BZ to VERIFIED.

Note You need to log in before you can comment on or make changes to this bug.