ELK stack elasticsearch FIPS Keytool Certificates

Kris_U · September 14, 2023, 11:08pm

I am setting up an ELK stack version 7.17.12. We have a separate instance for Elasticsearch, Kibana, and Logstash - but only one instance for each. We are using it with a Wazuh Manager instance as well with a Logstash and Wazuh integration. I am testing out making as much of it FIPS compliant as possible starting with Elasticsearch.

Right now we are using the certutil ca command from the Wazuh Distributed
guides (single node clusters only). Then copying the secure communication certs to the Kibana and Logstash instance. Command to generate example:

/usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in instances.yml --keep-ca-key --out ~/certs.zip

I know for FIPS we need to use the keytool with password, Bouncy Castle, etc. I have seen this post for example: ElasticSearch FIPS (BouncyCastle).

I just am not sure how to setup the certificates for secure communication in FIPS mode and add them to the Keystore in the BCFKS format (assuming they do in fact go in the keystore - it's very unclear what's supposed to even be in there) so it all works together. I am coming up pretty empty except for the post above.

Then if I am using the Keystore for the certificates on Elasticsearch - do I need to setup the keystore on Kibana and Logstash too? How would that setup and import be achieved?

Another question is are there any issues with the setup-passwords tool for the default accounts and FIPS? Or would I need to change them after creation if I am using pbkdf2_stretch in the elasticsearch yaml?

Elasticsearch FIPS 140-2

TimV · September 15, 2023, 3:49am

Why do you believe this to be true?

If you use the BC FIPS security provider then you need to convert the system Keystore/truststore to BCFKS because PKCS#12 is not FIPS compatible, so the BC FIPS provider is not able to read the truststore that ships with the JDK.
However, I am not aware of any reason why you cannot use PEM certificates and keys on a FIPS mode JVM.

Kris_U · September 15, 2023, 2:11pm

Interesting - I will research PEM certificates and FIPS mode. Thanks!

Kris_U · September 15, 2023, 4:40pm

Also where do I put the Bouncy Castle .jar file? There is no ext directory in /usr/share/elasticsearch/jdk/lib. Am I missing something here?

Kris_U · September 15, 2023, 4:59pm

Yeah, it looks like there's not really a way to generate FIPS pem certificates in Ubuntu 20.04 because they aren't on OpenSSL version 3 yet and the module has only been validated for Ubuntu 22.04 anyway.

Elasticsearch FIPS 140-2 specifies that the certutil isn't FIPS compliant either.

If anyone has any steps for setting up the truststore to be FIPS compliant and work with my configuration it would be much appreciated.

TimV · September 20, 2023, 1:55am

Do you need to generate certificates using a FIPS enabled tool chain?
You can generate the certs somewhere else and copy them over.

Kris_U · September 21, 2023, 11:51pm

Actually - I may be wrong about OpenSSL on Ubuntu 20.04 - apparently if it's in FIPS mode it may be validated.

Also the elasticsearch-certutil uses Bouncy Castle OpenSSL - I saw it in the code. However the cryptographic modules that have been verified for Bouncy Castle ran on a VMware OS - not Ubuntu. But then if that matters - how can Bouncy Castle be used on the JVM for FIPS on an Ubuntu operating system? And why can't we use elasticsearch-certutil in Elasticsearch FIPS mode? because everything I can find says it should be validated if Bouncy Castle modules are validated.

system · October 19, 2023, 11:52pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.