We have a requirement to run ES in FIPS mode. I understand that xpack.security.fips_mode.enabled is what allows ES to run in a JVM that is configured for FIPS. I also understand that it requires a Platinum license. A couple things I don't understand:
Isn't Platinum licensing only for the cloud offering? We are running it on our own VMs for compliance reasons (FedRAMP High). Is there any licensing appropriate for this when running on prem?
Can the FIPS approved mode run when ES is running as a service on a Windows box?
No, you can have a license to run on-premises as well, If I'm not wrong it has a minimum of 5 nodes, but you need to contact the Elastic sales team about this information.
I think there is no issue as Elasticsearch runs on a JVM, but you need to carefully read this part of the documentation.
The bundled JVM is not configured for FIPS 140-2, you will need to configure an external JDK and use this JVM to run Elasticsearch.
Also, you will probably need to run 7.17.
Elasticsearch 8.7.0 requires Java 17 or later. There is not yet a FIPS-certified security module for Java 17 that you can use when running Elasticsearch 8.7.0 in FIPS 140-2 mode. If you run in FIPS 140-2 mode, you will either need to request an exception from your security organization to upgrade to Elasticsearch 8.7.0, or remain on Elasticsearch 7.x until Java 17 is certified.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.