Difference between revisions of "FIPS Mode"
m (→Verify FIPS Mode is Enabled) |
m (→Verify FIPS Mode is Enabled) |
||
| Line 34: | Line 34: | ||
# sudo /opt/osnexus/quantastor/bin/osn_fipscheck validate-fips | # sudo /opt/osnexus/quantastor/bin/osn_fipscheck validate-fips | ||
# echo $? | # echo $? | ||
| − | + | # success return is 0 fail return is >= 1 | |
</pre> | </pre> | ||
Revision as of 15:20, 5 April 2023
Contents
QuantaStor FIPS 140-2 Module
QuantaStor supports FIPS cryptographic standards for NIST standard FIPS 140-2. More information on the 'OSNEXUS Crypto Library' is available at the NIST web site here. The OSNEXUS Crypto Library FIPS 140-2 Non-proprietary Security Policy can be found here, and the official certificate here. This page will be updated with instructions to configure your QuantaStor system to enable FIPS mode.
Enabling FIPS Mode
To run Quantastor in FIPS mode, it is required that all of the nodes in your storage grid are running service version '5.9' at minimum and 6.0 at maximum (FIPS 140-3 cert pending for 6.1 and beyond). If any of your nodes do not meet this requirement, then the storage systems on your grid will be automatically set into FIPS Non-Approved mode. To enable FIPS mode, you will need to add the 'tf_fips.enable' touchfile to the expected directory. Run the following commands as the 'root' user on the QuantaStor system to be put into FIPS mode.
# sudo touch /var/opt/osnexus/quantastor/touchfiles/tf_fips.enable
REBOOT: After enabling the FIPS mode, reboot the system as there are various checks that need to be done at system startup.
You can run the service and check the logs to verify that FIPS mode has been verified using the following command:
# qs-showlog -a | grep FIPS
You should see a WARNLOC alert that looks something like this:
{Wed Jun 17 12:12:02 2020, WARN, e7c79740:alert_manager:543} alert raised / title: 'FIPS Mode Verified', filter: , desc: 'FIPS mode is now verified and active on system 'fips-node5', reboot required upon first activation.', SNMP OID suffix: '182'
If this is the first time activating FIPS mode on this box, then you will need to run the 'reboot' command and wait for the service to start up again. Crypto module logs can be found in location '/var/log/qs/qs_crypto.log'.
Manual Verification and Validatation of FIPS Mode
You can verify and validate the activation of FIPS mode using the osn_fipscheck CLI tool. From the command line of your QuantaStor system which you can access via ssh as user 'qadmin'. Once logged in as the 'qadmin' user you'll want to elevate your permissions to 'root' before running the the following checks.
Verify FIPS Mode is Enabled
This verifies that the of FIPS enablement file as noted above is in place on the system.
# sudo /opt/osnexus/quantastor/bin/osn_fipscheck validate-fips # echo $? # success return is 0 fail return is >= 1
Validate osncryptolib configuration is FIPS Mode compliant
The output of these commands should inform the user if they have FIPS mode enabled and that the FIPS module has been validated by self tests. If the FIPS module fails to validate, then the quantastor service will not start if it has been designated to run in FIPS mode.
# sudo /opt/osnexus/quantastor/bin/osn_fipscheck validate
