Enabling Federal Information Processing Standards (FIPS)

Find out how to set up Event Endpoint Management to be FIPS-compliant by using a boundary approach that is enabled by the “FIPS Wall”.

Requirements

To run a FIPS-compliant Event Endpoint Management deployment, you need a FIPS-enabled OpenShift Container Platform cluster available with the Event Endpoint Management operator that is installed with a version of 11.1.0 or later.

Ensure that you run both the Event Manager and the Event Gateway with the default TLS version of 1.3 and ensure that all clients have the following cipher suites available:

  • TLS_AES_128_GCM_SHA256
  • TLS_AES_256_GCM_SHA384

Installation instructions

Both the Event Manager and the Event Gateway applications pick up the FIPS_MODE environment variable and sets FIPS-compliant ciphers on secure endpoints if the value of this environment variable is wall. The Event Endpoint Management operator allows you to handle the installation entirely in the corresponding custom resource.

To enable the FIPS wall, complete the following steps.

  1. In the EventEndpointManagement custom resource for the Event Manager instance, set the value of spec.manager.fips.mode to wall. The operator sets the corresponding environment variable in the manager pod.

  2. For the Event Gateway, complete one of the following steps appropriate for your installation.

    a. If the Event Gateway is running on a Kubernetes cluster managed by the Event Endpoint Management operator, in the Event Gateway custom resource, set the value of spec.fips.mode to wall.

    b. If the Event Gateway is running as a container in a stand-alone docker engine (as opposed to being managed in an OpenShift Container Platform or Kubernetes by the operator), in the docker run command, start the container with the FIPS_MODE environment variable set to wall. For example:

docker run -e backendURL="<EEM_BACKEND_URL>" -e swid="EA/CP4I" [-e ubp=true] -e FIPS_MODE="wall" \
    -e KAFKA_ADVERTISED_LISTENER="<KAFKA_ADVERTISED_LISTENER>" -e GATEWAY_PORT="<GATEWAY_PORT> \
    -e certPaths="/certs/eem/client.pem,/certs/eem/client.key,/certs/eem/ca.pem,/certs/eem/egwclient.pem,/certs/eem/egwclient-key.pem" \
    -v <PATH_TO_CERTIFICATES>:/certs/eem \
    -e LICENSE_ID="<LICENSE_ID>" -e ACCEPT_LICENSE="<ACCEPT_LICENSE>" \
    -d -p <GATEWAY_PORT>:8080 <IMAGE_NAME_FROM_CONTAINER_REGISTRY>