Bug 962247 - OpenShift Enterprise is not FIPS 140-2 Compliant
OpenShift Enterprise is not FIPS 140-2 Compliant
Status: CLOSED DUPLICATE of bug 923119
Product: OpenShift Container Platform
Classification: Red Hat
Component: Security (Show other bugs)
2.2.0
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Brenton Leanhardt
Xiaoli Tian
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-12 19:48 EDT by Shawn Wells
Modified: 2016-05-25 07:45 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-05-14 08:47:42 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Shawn Wells 2013-05-12 19:48:21 EDT
Description of problem:

U.S. Government deployments require FIPS 140-2 compliance, however OpenShift Enterprise is not FIPS 140-2 compliant. This will prohibit deployments on US Government networks across State, Local, Federal, Military, and Intelligence markets.

NIST 800-53 SA-4: Prohibits the U.S. Government from procuring solutions which are not FIPS 140-2 certified.

NIST 800-53 IA-7: Access control must be performed over FIPS 140-2 (e.g., FIPS enable SSH connections)

NIST 800-54 MA-4(6): FIPS mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.
.....

The list is extensive. A copy of the NIST regulations can be found at:
http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf


Version-Release number of selected component (if applicable):
All

How reproducible:
100%

Steps to Reproduce:
1. Configure Base RHEL6 in FIPS mode
2. Watch things break
3.
  
Actual results:


Expected results:
OpenShift Enterprise remains functional when FIPS 140-2 enabled in BaseOS.
Additionally, need checks to ensure that OpenShift components (such as web server) are using FIPS 140-2 crypto libraries.

Additional info:

The impact of OpenShift not having FIPS 140-2 cryptography is quiet severe. U.S. government procurement regulations prevent acquisition of non-FIPS certified software. As currently stands, the U.S. government and associated system integrator community is not allowed to purchase the RH OpenShift product.
Comment 2 Brenton Leanhardt 2013-05-14 08:47:42 EDT

*** This bug has been marked as a duplicate of bug 923119 ***

Note You need to log in before you can comment on or make changes to this bug.