I am setting up an ELK stack version 7.17.12. We have a separate instance for Elasticsearch, Kibana, and Logstash - but only one instance for each. We are using it with a Wazuh Manager instance as well with a Logstash and Wazuh integration. I am testing out making as much of it FIPS compliant as possible starting with Elasticsearch.
Right now we are using the certutil ca command from the Wazuh Distributed
guides (single node clusters only). Then copying the secure communication certs to the Kibana and Logstash instance. Command to generate example:
/usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in instances.yml --keep-ca-key --out ~/certs.zip
I know for FIPS we need to use the keytool with password, Bouncy Castle, etc. I have seen this post for example: ElasticSearch FIPS (BouncyCastle).
I just am not sure how to setup the certificates for secure communication in FIPS mode and add them to the Keystore in the BCFKS format (assuming they do in fact go in the keystore - it's very unclear what's supposed to even be in there) so it all works together. I am coming up pretty empty except for the post above.
Then if I am using the Keystore for the certificates on Elasticsearch - do I need to setup the keystore on Kibana and Logstash too? How would that setup and import be achieved?
Another question is are there any issues with the setup-passwords tool for the default accounts and FIPS? Or would I need to change them after creation if I am using pbkdf2_stretch in the elasticsearch yaml?
If you use the BC FIPS security provider then you need to convert the system Keystore/truststore to BCFKS because PKCS#12 is not FIPS compatible, so the BC FIPS provider is not able to read the truststore that ships with the JDK.
However, I am not aware of any reason why you cannot use PEM certificates and keys on a FIPS mode JVM.
Yeah, it looks like there's not really a way to generate FIPS pem certificates in Ubuntu 20.04 because they aren't on OpenSSL version 3 yet and the module has only been validated for Ubuntu 22.04 anyway.
Actually - I may be wrong about OpenSSL on Ubuntu 20.04 - apparently if it's in FIPS mode it may be validated.
Also the elasticsearch-certutil uses Bouncy Castle OpenSSL - I saw it in the code. However the cryptographic modules that have been verified for Bouncy Castle ran on a VMware OS - not Ubuntu. But then if that matters - how can Bouncy Castle be used on the JVM for FIPS on an Ubuntu operating system? And why can't we use elasticsearch-certutil in Elasticsearch FIPS mode? because everything I can find says it should be validated if Bouncy Castle modules are validated.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.