Difference between revisions of "FIPS Mode"
m (→Enabling FIPS Mode) |
m (→Enabling FIPS Mode) |
||
| Line 4: | Line 4: | ||
=== Enabling FIPS Mode === | === Enabling FIPS Mode === | ||
| − | To run Quantastor in FIPS mode, | + | To run Quantastor in FIPS mode, '''it is required that all of the nodes in your storage grid are running service version '5.9' at minimum and 6.0 at maximum'''. If any of your nodes do not meet this requirement, then the storage systems on your grid will be automatically set into FIPS Non-Approved mode. To enable FIPS mode, you will need to add the 'tf_fips.enable' touchfile to the expected directory. Run the following command on a Quantastor box: |
<pre> | <pre> | ||
touch /var/opt/osnexus/quantastor/touchfiles/tf_fips.enable | touch /var/opt/osnexus/quantastor/touchfiles/tf_fips.enable | ||
Revision as of 14:37, 5 April 2023
QuantaStor FIPS 140-2 Module
QuantaStor supports FIPS cryptographic standards for NIST standard FIPS 140-2. More information on the 'OSNEXUS Crypto Library' is available at the NIST web site here. The OSNEXUS Crypto Library FIPS 140-2 Non-proprietary Security Policy can be found here, and the official certificate here. This page will be updated with instructions to configure your QuantaStor system to enable FIPS mode.
Enabling FIPS Mode
To run Quantastor in FIPS mode, it is required that all of the nodes in your storage grid are running service version '5.9' at minimum and 6.0 at maximum. If any of your nodes do not meet this requirement, then the storage systems on your grid will be automatically set into FIPS Non-Approved mode. To enable FIPS mode, you will need to add the 'tf_fips.enable' touchfile to the expected directory. Run the following command on a Quantastor box:
touch /var/opt/osnexus/quantastor/touchfiles/tf_fips.enable
You can run the service and check the logs to verify that FIPS mode has been verified using the following command:
service quantastor restart; qs-showlog -f
You should see a WARNLOC alert that looks something like this:
{Wed Jun 17 12:12:02 2020, WARN, e7c79740:alert_manager:543} alert raised / title: 'FIPS Mode Verified', filter: , desc: 'FIPS mode is now verified and active on system 'fips-node5', reboot required upon first activation.', SNMP OID suffix: '182'
If this is the first time activating FIPS mode on this box, then you will need to run the 'reboot' command and wait for the service to start up again.
Verify/Validate FIPS Mode
You can verify and validate the activation of FIPS mode using the osn_fipscheck CLI tool. From the root quantastor directory you can run the following commands:
./build/bin/osn_fipscheck verify #Verifies existance of FIPS touchfile in QuantaStor. ./build/bin/osn_fipscheck validate #Validates FIPS mode and link to crypto-libraries.
Or from a quantastor box:
/opt/osnexus/quantastor/bin/osn_fipscheck verify #Verifies existance of FIPS touchfile in QuantaStor. /opt/osnexus/quantastor/bin/osn_fipscheck validate #Validates FIPS mode and link to crypto-libraries.
