On ti, 20 huhti 2021, Ian Willis via FreeIPA-users wrote:
Hi Simo,
Thanks for the clear response.
This is more in keeping with my understanding of the assurance
process.
In short
* FIPS evaluation only applies to the algorithms in scope. Generally
something like Suite B
* FIPS is only applicable to a particular instance ie binary or set of
binaries.
That being said, in some environments you only need to demonstrate the
use of specific cryptograhic operations which may be embodied by FIPS
evaluation in which case it's a reasonable shortcut.
So than than shooting yourself in the foot it can make you life
significantly simpler. Also most auditors don't really understand the
more esoteric aspects of these processes and concentrate in things that
the can understand.
However that lack of understanding is also a two edged sword. ;-)
It is even more complex. We only started[1] to support RHEL IdM in FIPS
mode for real with RHEL 8.3 and for trust to Active Directory in
upcoming RHEL 8.4[2]. RHEL 7 version of FreeIPA can be made running in FIPS
mode but it was not validated for that purpose.
As others said, running in FIPS mode is always a reduction of
functionality. In case of trust to Active Directory that, for example,
means a lot of operations are not accessible anymore (see [2] above,
scroll down to 'samba rebased to 4.13.2' subsection).
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
[2]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8-...
-----Original Message-----
From: Simo Sorce via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org>
Reply-To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Steve Reed <scottmreed(a)hotmail.com>, Simo Sorce <simo(a)redhat.com>
Subject: [Freeipa-users] Re: FreeIPA and FIPS
Date: Mon, 19 Apr 2021 17:08:04 -0400
Hi Steve,
On Mon, 2021-04-19 at 19:08 +0000, Steve Reed via FreeIPA-users wrote:
> Hi Stephen,
> True. I understand that, but I think we are getting off track to
> myoriginal question. Can you run a FIPS FreeIPA server and still
> havethe clients work with it? It't not necessarily required to have
> theclients FIPS compliant, but the server must since it has to do
> theencryption for data that it stores.
Yes you can run a server in FIPS mode, and clients will generally
talkto it just fine. FIPS mode in RHEL simply reduces the set of
availablealgorithms,so clients have less to chose from but will work
just fine.
The caveat is if you have non-RHEL clients that are either very old,
orsomewhat "special", and support only a subset of
(old/different)algorithms that are not supported by the server in FIPs
mode.
So the answer is generally "yes with some caveats".
Note that this caveats are also valid in general for running on
RHELwhere we apply somewhat stringent crypto policies to avoid old and
weakprotocols by default.
> And I appreciate that everyone is trying to save me some time, but
> ithas been decided that we will use FIPS unless it proves
> notbeneficial.
Just a note for everyone looking at this thread.FIPS mode can be used
at any time without restriction, so you arewelcome to use it. Many
chose to use FIPS mode to make sure only testedand approved algorithms
are used.
However, FIPS compliance is technically possible only with
certifiedmodules. And Red Hat certifies exclusively RHEL binary builds
(I knowbecause I do that). You can check the certificates on the CMVP
websiteand the related Security Policy documents for more details.
CentOS (or any other rebuild) builds are not covered by Red
HatCertificates and I am not aware of anyone else certifying
CentOSbinaries either.
Simo.
-- Simo SorceRHEL Crypto TeamRed Hat, Inc
_______________________________________________FreeIPA-users mailing
list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland