From OSNEXUS Online Documentation Site
Jump to: navigation, search

QuantaStor FIPS 140-2 Module

QuantaStor supports FIPS cryptographic standards for NIST standard FIPS 140-2. More information on the 'OSNEXUS Crypto Library' is available at the NIST web site here. The OSNEXUS Crypto Library FIPS 140-2 Non-proprietary Security Policy can be found here, and the official certificate here. This page will be updated with instructions to configure your QuantaStor system to enable FIPS mode.

Enabling FIPS Mode

To run Quantastor in FIPS mode, it is required that all of the nodes in your storage grid are running qstor-service version "6.0.11" (FIPS 140-3 cert pending for 6.1 and beyond). If any of your nodes do not meet this requirement, then the storage systems on your grid will be automatically set into FIPS Non-Approved mode. To enable or disable FIPS mode, you will need to use the 'qs-util' CLI tool. Run the following commands as the 'root' user on the QuantaStor system to be put into FIPS mode.

## enables FIPS mode and restarts the quantastor service
# sudo qs-util enablefips
## disables FIPS mode and restarts the quantastor service
# sudo qs-util disablefips

REBOOT: After enabling the FIPS mode, reboot the system as there are various checks that need to be done at system startup.

You can run the service and check the logs to verify that FIPS mode has been validated from the UI in the storage system properties. You can also run the following command to verify FIPS mode status from the CLI:

# qs sys-get | grep -i FIPS

Check the QuantaStor alerts to see recent changes to FIPS mode status:
Fips mode status update alerts.jpg

Additional logging for the OSNEXUS Crypto Library Module can be followed using the following command:

# tail -f /var/log/qs/qs_crypto.log

Manual Verification and Validatation of FIPS Mode

You can verify and validate the activation of FIPS mode using the osn_fipscheck CLI tool. From the command line of your QuantaStor system which you can access via ssh as user 'qadmin'. Once logged in as the 'qadmin' user you'll want to elevate your permissions to 'root' before running the the following checks.

Validate osncryptolib configuration is FIPS Mode compliant

This command verifies if the user has FIPS mode enabled and that the FIPS module has been validated by self tests. If the FIPS module fails to validate, then the quantastor service will not start if designated to run in FIPS mode. Successful return value is 0, failure return is >= 1. See 'qs_crypto.log' for more information on FIPS mode errors.

# sudo /opt/osnexus/quantastor/bin/osn_fipscheck validate-fips