[DOCS] Add FIPS 140-2 documentation #32928
Conversation
jkakavas
added
>docs
|
Pinging @elastic/es-security |
|
Opening this to get some feedback on where it could be placed. I don't see it being really connected with any existing documentation and as such I was thinking to just add it in the table of contents as a standalone item. @lcawl any thoughts? Where could it go? |
jkakavas
changed the title
|
cc @joshbressers if he wants to take a look |
SAML Realm cannot handle encrypted SAML messages as the algorithms used for key transport are not FIPS 140-2 compliant.
| @@ -46,6 +46,9 @@ settings for the ad1 realm: `xpack.security.authc.realms.ad1.*`. The API already | |||
| omits all `ssl` settings, `bind_dn`, and `bind_password` due to the | |||
| sensitive nature of the information. | |||
|
|
|||
| `xpack.security.fips_mode.enabled`:: | |||
| Enables fips mode of operation. Set this to `true` if you run this {es} instance in a FIPS-140 enabled JVM. For more | |||
| information, see {xpack-ref}/fips-140-compliance.html[FIPS-140 compliance]. Defaults to `false`. | |||
There was a problem hiding this comment.
just a nit: add a new line after for readability of the asciidoc
|
|
||
| The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS PUB | ||
| 140-2), titled "Security Requirements for Cryptographic Modules" is a U.S. | ||
| government computer security standard used to approve cryptographic modules. |
There was a problem hiding this comment.
nit: two spaces between computer and security
| The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS PUB | ||
| 140-2), titled "Security Requirements for Cryptographic Modules" is a U.S. | ||
| government computer security standard used to approve cryptographic modules. | ||
| {es} is FIPS-140 compliant and as such can run in a FIPS-140 enabled JVM. In |
There was a problem hiding this comment.
maybe instead of is FIPS-140 compliant we can say offers a a FIPS 140-2 compliant mode
| - Allowing the configuration of {es} in a FIPS 140-2 compliant manner, as | ||
| documented below. | ||
|
|
||
| IMPORTANT: Only {es} 6.4.0 and later can be run in a FIPS 140-2 enabled JVM |
There was a problem hiding this comment.
I'm not sure we need this type of statement. @lcawl what is your take?
There was a problem hiding this comment.
I think this support statement is redundant, since this page will exist only in 6.4 and later documentation.
|
|
||
| NOTE: The use of TLS ciphers is mainly governed by the relevant crypto module | ||
| (the FIPS Approved Security Provider that your JVM uses). All the ciphers that | ||
| are configured by default in {es} are FIPS-140 compliant and as such can be |
There was a problem hiding this comment.
I wonder if we should s/FIPS-140/FIPS 140-2/g to be consistent
| Keystores can be used in a number of <<ssl-tls-settings>> in order to | ||
| conveniently store key and trust material. Neither `JKS`, nor `PKCS#12` keystores | ||
| can be used in a FIPS 140-2 enabled JVM however, so you must refrain from using | ||
| keystores in your configuration, and use `PEM` encoded files instead. For key |
There was a problem hiding this comment.
Maybe we should say using these keystores in your configuration. Your FIPS 140-2 provider may provide a compliant keystore that can be used or you can use PEM encoded files. To use PEM encoded key material, you can use the relevant .... Then we can remove the note below
| === Limitations | ||
|
|
||
| Due to the limitations that FIPS 140-2 compliance enforces, a small number of | ||
| features is not available while running in fips mode. The list is as follows: |
There was a problem hiding this comment.
I always get this wrong :/
There was a problem hiding this comment.
looks like it wasn't addressed in your last commit?
There was a problem hiding this comment.
Missed it somehow, thanks.
| available. | ||
| * The SQL CLI client cannot run in a FIPS 140-2 enabled JVM while using | ||
| TLS for transport security or PKI for client authentication. | ||
| * SAML Realm cannot decrypt and consume encrypted Assertions or encrypted |
|
NOTE: This PR contains a link to content that will exist only after #32849 is merged. I've commented out that link for now. |
|
I've added this FIPS page to the "Configuring security" section of the Elasticsearch Reference, since all the setup steps seemed to be related to Elasticsearch:
If you prefer a different location, please let me know! I also added a link to this page from the overall "Configuring security in Elasticsearch" page and added some of the setting limitations to the Security settings page too. |
|
I merged and backported #32849 so I will uncomment the link referred to in #32928 (comment) before merging this |
|
elasticsearch-ci/packaging-sample check (https://elasticsearch-ci.elastic.co/job/elastic+elasticsearch+pull-request+packaging-tests-sample/6847/) has completed successfully but the check result hasn't been updated in the issue for some reason |
* Add relevant documentation for FIPS 140-2 compliance. * Introduce `fips_mode` setting. * Discuss necessary configuration for FIPS 140-2 * Discuss introduced limitations by FIPS 140-2
* Add relevant documentation for FIPS 140-2 compliance. * Introduce `fips_mode` setting. * Discuss necessary configuration for FIPS 140-2 * Discuss introduced limitations by FIPS 140-2
This commit adds documentation regarding FIPS 140-2 compliance
and necessary Elasticsearch configuration.