Find out how to set up Event Endpoint Management to be FIPS-compliant by using a boundary approach that is enabled by the “FIPS Wall”.
Requirements
To run a FIPS-compliant Event Endpoint Management deployment, you need a FIPS-enabled OpenShift Container Platform cluster available with the Event Endpoint Management operator that is installed with a version of 11.1.0 or later.
Ensure that you run both the Event Manager and the Event Gateway with the default TLS version of 1.3 and ensure that all clients have the following cipher suites available:
TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
Installation instructions
Both the Event Manager and the Event Gateway applications pick up the FIPS_MODE
environment variable and sets FIPS-compliant ciphers on secure endpoints if the value of this environment variable is wall
. The Event Endpoint Management operator allows you to handle the installation entirely in the corresponding custom resource.
To enable the FIPS wall, complete the following steps.
-
In the
EventEndpointManagement
custom resource for the Event Manager instance, set the value ofspec.manager.fips.mode
towall
. The operator sets the corresponding environment variable in the manager pod. -
For the Event Gateway, complete one of the following steps appropriate for your installation.
a. If the Event Gateway is running on a Kubernetes cluster managed by the Event Endpoint Management operator, in the Event Gateway custom resource, set the value of
spec.fips.mode
towall
.b. If the Event Gateway is running as a container in a stand-alone docker engine (as opposed to being managed in an OpenShift Container Platform or Kubernetes by the operator), in the docker run command, start the container with the
FIPS_MODE
environment variable set towall
. For example:
docker run -e backendURL="<EEM_BACKEND_URL>" -e swid="EA/CP4I" [-e ubp=true] -e FIPS_MODE="wall" \
-e KAFKA_ADVERTISED_LISTENER="<KAFKA_ADVERTISED_LISTENER>" -e GATEWAY_PORT="<GATEWAY_PORT> \
-e certPaths="/certs/eem/client.pem,/certs/eem/client.key,/certs/eem/ca.pem,/certs/eem/egwclient.pem,/certs/eem/egwclient-key.pem" \
-v <PATH_TO_CERTIFICATES>:/certs/eem -d -p <GATEWAY_PORT>:8080 <IMAGE_NAME_FROM_CONTAINER_REGISTRY>