Red Hat Bugzilla – Bug 962247
OpenShift Enterprise is not FIPS 140-2 Compliant
Last modified: 2016-05-25 07:45:27 EDT
Description of problem:
U.S. Government deployments require FIPS 140-2 compliance, however OpenShift Enterprise is not FIPS 140-2 compliant. This will prohibit deployments on US Government networks across State, Local, Federal, Military, and Intelligence markets.
NIST 800-53 SA-4: Prohibits the U.S. Government from procuring solutions which are not FIPS 140-2 certified.
NIST 800-53 IA-7: Access control must be performed over FIPS 140-2 (e.g., FIPS enable SSH connections)
NIST 800-54 MA-4(6): FIPS mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.
The list is extensive. A copy of the NIST regulations can be found at:
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Configure Base RHEL6 in FIPS mode
2. Watch things break
OpenShift Enterprise remains functional when FIPS 140-2 enabled in BaseOS.
Additionally, need checks to ensure that OpenShift components (such as web server) are using FIPS 140-2 crypto libraries.
The impact of OpenShift not having FIPS 140-2 cryptography is quiet severe. U.S. government procurement regulations prevent acquisition of non-FIPS certified software. As currently stands, the U.S. government and associated system integrator community is not allowed to purchase the RH OpenShift product.
*** This bug has been marked as a duplicate of bug 923119 ***