NodeJS FIPS enablement in Kibana

The provided instructions from FIPS compliance for Kibana | Elastic Docs specify that this is a requirement:

Delegating the implementation of these cryptographic algorithms to a NIST validated cryptographic module (available via Node.js configured with an OpenSSL3 provider).

Doing this appears to be the case. As validated in Add license check for FIPS (#181187) · elastic/kibana@4554b75 · GitHub, –enable-fips must be set within NodeJS, but the provided node does not actually have FIPS support built in, and the library on RHEL is built for a different ossl version and attempting to provide the one provided by RHEL causes errors.

Mar 09 15:56:26 localhost.localdomain kibana[641472]:   #  /usr/share/kibana/bin/../node/glibc-217/bin/node[641472]: std::shared_ptr<node::InitializationResultImpl> node::InitializeOncePerProcessInternal(const >
Mar 09 15:56:26 localhost.localdomain kibana[641472]:   #  Assertion failed: ncrypto::CSPRNG(nullptr, 0)
Mar 09 15:56:26 localhost.localdomain kibana[641472]: ----- Native stack trace -----
Mar 09 15:56:26 localhost.localdomain kibana[641472]:  1: 0xfb4787 node::Assert(node::AssertionInfo const&) [/usr/share/kibana/bin/../node/glibc-217/bin/node]
Mar 09 15:56:26 localhost.localdomain kibana[641472]:  2: 0xf5ad3a  [/usr/share/kibana/bin/../node/glibc-217/bin/node]
Mar 09 15:56:26 localhost.localdomain kibana[641472]:  3: 0xf5c85c node::Start(int, char**) [/usr/share/kibana/bin/../node/glibc-217/bin/node]
Mar 09 15:56:26 localhost.localdomain kibana[641472]:  4: 0x7f28c282a610  [/lib64/libc.so.6]
Mar 09 15:56:26 localhost.localdomain kibana[641472]:  5: 0x7f28c282a6c0 __libc_start_main [/lib64/libc.so.6]
Mar 09 15:56:26 localhost.localdomain kibana[641472]:  6: 0xe98595  [/usr/share/kibana/bin/../node/glibc-217/bin/node]
Mar 09 15:56:26 localhost.localdomain systemd[1]: kibana.service: Main process exited, code=dumped, status=6/ABRT

I would prefer to simply use the system OpenSSL, but to do this, I am required to use the system’s node as Kibana’s builtin node does not link to the system’s OpenSSL. Doing this seems fragile - if there is ever an update by another administrator, it may knock out the symlink and break this. I may be incorrect if the .rpmspec has some shenanigans going on I am not aware of, but I have not had the time to dig into it. Is this truly the recommended COA for self-hosted FIPS Kibana enablement?

Alternative would be to allow a NODE environment variable to be passed to Kibana in /bin/kibana… right now it’s hard coded. Would be as simple as this in whatever the source bin/kibana comes from:

--- /usr/share/kibana/bin/kibana.old	2025-03-09 16:56:02.489460991 -0400
+++ /usr/share/kibana/bin/kibana	2025-03-09 16:56:39.658460130 -0400
@@ -28,7 +28,7 @@
   KBN_NODE_OPTS="$(grep -v ^# < ${CONFIG_DIR}/node.options | xargs)"
 fi
 
-NODE="${DIR}/node/glibc-217/bin/node"
+NODE="${KBN_NODE:-${DIR}/node/glibc-217/bin/node}"
 test_node
 
 # Enable capturing heap snapshots. See https://nodejs.org/api/cli.html#--heapsnapshot-signalsignal

Then it’s as easy as setting this in /etc/sysconfig/kibana

KBN_NODE=/bin/node

Testing and found this path against 9.2.5, apologies if there has been changes in a newer version.

EDIT:

Looks like I am patching before 9.3.0 only for now… if this seems like a sane change & I am not missing something, someone let me know if this is necessary and I can go make a PR for fun.