Issues trying to enable FIPS 140-2 on Centos 8

Trying to enable FIPS mode in Elasticsearch and running into issues. When using default bundled JVM with FIPS mode enabled configuration passes bootstrap checks. Enabled fips globally in Centos and pointed systemd file to use system java install instead. When trying to start the service back up running into error.

java.security.NoSuchAlgorithmException: PBKDF2WithHmacSHA512 SecretKeyFactory not available

Here is my elasticsearch.yml contents:

# ---------------------------------- Security ----------------------------------
#
#                                 *** WARNING ***
#
# Elasticsearch security features are not enabled by default.
# These features are free, but require configuration changes to enable them.
# This means that users don’t have to provide credentials and can get full access
# to the cluster. Network connections are also not encrypted.
#
# To protect your data, we strongly encourage you to enable the Elasticsearch security features.
# Refer to the following documentation for instructions.
#
# https://www.elastic.co/guide/en/elasticsearch/reference/7.16/configuring-stack-security.html
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /etc/elasticsearch/ssl/http-key.key
xpack.security.http.ssl.certificate: /etc/elasticsearch/ssl/http-cert.crt

xpack.security.fips_mode.enabled: true
xpack.security.authc.password_hashing.algorithm: pbkdf2_stretch

After turning FIPS mode on also reset all passwords for users.

What exactly do you mean by this?
If you simply set xpack.security.fips_mode.enabled: true in elasticsearch.yml then it is unsurprising that it worked - all that setting does is configure Elasticsearch to avoid non-FIPS approved algorithms. It does not configure the underlying JVM to run in FIPS mode.

I'm not an expert of what Centos does to set java into FIPS mode.
Do you know what underlying crypto provider it uses for that?
I think it uses the Sun PKCS#11 provider with the Operating System's NSS setup acting as a PKCS#11 token.
In theory that might work, but it's not a config we test or support.

Per our support matrix the only supported configuration is the Oracle JVM with the BouncyCastle FIPS provider.

Correct, I didn't configure the bundled JVM at all just set xpack.security.fips_mode.enabled: true just to confirm I was clearing all the elasticsearch bootstrap checks before configuring the JVM.

You are correct Centos is using Sun PKCS#11 when fips mode is enabled globally. I will try adding the BouncyCastle provider and see if that works.

Thank you!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.