Issues trying to enable FIPS 140-2 on Centos 8

ryann · March 23, 2022, 9:31pm

Trying to enable FIPS mode in Elasticsearch and running into issues. When using default bundled JVM with FIPS mode enabled configuration passes bootstrap checks. Enabled fips globally in Centos and pointed systemd file to use system java install instead. When trying to start the service back up running into error.

java.security.NoSuchAlgorithmException: PBKDF2WithHmacSHA512 SecretKeyFactory not available

Here is my elasticsearch.yml contents:

# ---------------------------------- Security ----------------------------------
#
#                                 *** WARNING ***
#
# Elasticsearch security features are not enabled by default.
# These features are free, but require configuration changes to enable them.
# This means that users don’t have to provide credentials and can get full access
# to the cluster. Network connections are also not encrypted.
#
# To protect your data, we strongly encourage you to enable the Elasticsearch security features.
# Refer to the following documentation for instructions.
#
# https://www.elastic.co/guide/en/elasticsearch/reference/7.16/configuring-stack-security.html
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /etc/elasticsearch/ssl/http-key.key
xpack.security.http.ssl.certificate: /etc/elasticsearch/ssl/http-cert.crt

xpack.security.fips_mode.enabled: true
xpack.security.authc.password_hashing.algorithm: pbkdf2_stretch

After turning FIPS mode on also reset all passwords for users.

TimV · March 24, 2022, 2:57am

What exactly do you mean by this?
If you simply set xpack.security.fips_mode.enabled: true in elasticsearch.yml then it is unsurprising that it worked - all that setting does is configure Elasticsearch to avoid non-FIPS approved algorithms. It does not configure the underlying JVM to run in FIPS mode.

I'm not an expert of what Centos does to set java into FIPS mode.
Do you know what underlying crypto provider it uses for that?
I think it uses the Sun PKCS#11 provider with the Operating System's NSS setup acting as a PKCS#11 token.
In theory that might work, but it's not a config we test or support.

Per our support matrix the only supported configuration is the Oracle JVM with the BouncyCastle FIPS provider.

ryann · March 24, 2022, 1:16pm

Correct, I didn't configure the bundled JVM at all just set xpack.security.fips_mode.enabled: true just to confirm I was clearing all the elasticsearch bootstrap checks before configuring the JVM.

You are correct Centos is using Sun PKCS#11 when fips mode is enabled globally. I will try adding the BouncyCastle provider and see if that works.

Thank you!

system · April 21, 2022, 1:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Exception while enabling fips in es7.17 Elasticsearch	8	170	April 18, 2024
ElasticSearch FIPS (BouncyCastle) Elasticsearch elastic-stack-security	12	2853	June 2, 2022
Elasticsearch wont start with FIPS Mode Enabled Elasticsearch elastic-stack-security	3	1337	September 6, 2021
FIPS 140-2 Config, On-Prem Elasticsearch elastic-stack-security	2	365	May 8, 2023
Elasticsearch 8.15.1 in FIPS mode Elasticsearch elastic-stack-security , runtime-fields	12	137	October 11, 2024

Issues trying to enable FIPS 140-2 on Centos 8

Related topics