Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-2523

Explore puppet-server FIPS compliance work

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Resolved
    • Priority: Normal
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Template:
    • Team:
      Froyo
    • Release Notes:
      Not Needed
    • QA Risk Assessment:
      Needs Assessment

      Description

      Currently, the Java-based components of our stack are not FIPS-aware. The nature of the J2EE stack, though, presents a possibly low-effort path to enabling FIPS-certified crypto libraries for our packages with either build-time or run-time toggles. This ticket covers the work necessary to understand the options and quantify the costs/benefits of each.

       

      Explore and estimate work needed to eliminate md5 use, switch to using only rhel7-fips system ssl-libs, etc with the general list of requirements being:

      Symmetric Key Algorithms
      Asymmetric Key Algorithms
      Message Authentication
      Hashing
      Random Number Generators
      Deterministic Random Bit Generators
      Key Management

       

      for each project Server Team maintains determine work needed to:

      use bouncy-castle and/or system openssl libs (use sha-1 instead of md5), enable use of oracle jvm/jre8

      don't store private keys, possibly certs, locally (support use of external KMI, key store)

       

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              maggie Maggie Dreyer
              Reporter:
              eric.sorenson Eric Sorenson
              Votes:
              1 Vote for this issue
              Watchers:
              10 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support