Talk:Meza/Common Meza Test Environment (CMTE)

subscribe, clean, and resubscribe
sudo subscription-manager remove --all sudo subscription-manager unregister sudo subscription-manager clean sudo rm -rf /var/cache/yum/*

sudo subscription-manager register sudo subscription-manager attach --auto sudo subscription-manager refresh sudo subscription-manager identity

ref: https://access.redhat.com/discussions/4656371

How to ensure that and   can execute code
sudo vi /etc/fstab and (temporarily?) remove “noexec” option from /tmp and /var/tmp file systems, then remount: sudo systemctl daemon-reload sudo mount -o remount /tmp sudo mount -o remount /var/tmp

How to enable/disable FIPS Mode at Boot
Test the status of FIPS mode with: cat /proc/sys/crypto/fips_enabled

1 indicates enabled, while 0 indicates disabled.

For Meza users who need to run their systems in FIPS Mode at boot, here is the command to do so:

or

Note - Meza does not currently deploy properly in this mode. The current known deployment issues are:


 * Elasticsearch service fails to start due to not having an approved cipher for the service user password.

Revansx (talk) 19:57, 8 July 2023 (UTC)

Elasticsearch and FIPS mode
As of 2023-07-09 Meza does not support FIPS mode due to some issue with Elasticsearch.

We are working to solve this problem. Current efforts are based on guidance from https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html#password-hashing-settings

which recommends configuring setting  to true in Elasticsearch.yml

More soon Revansx (talk) 14:54, 9 July 2023 (UTC)

update 2023-07-09
found some good insights here: https://discuss.elastic.co/t/issues-trying-to-enable-fips-140-2-on-centos-8/300505

specifically a security section for elasticsearch.yml as: xpack.security.fips_mode.enabled: true xpack.security.authc.password_hashing.algorithm: pbkdf2_stretch and the user's comments that: and more soon Revansx (talk) 16:51, 9 July 2023 (UTC)
 * 1) -- Security --
 * 2)                                 *** WARNING ***
 * 3) Elasticsearch security features are not enabled by default.
 * 4) These features are free, but require configuration changes to enable them.
 * 5) This means that users don’t have to provide credentials and can get full access
 * 6) to the cluster. Network connections are also not encrypted.
 * 7) To protect your data, we strongly encourage you to enable the Elasticsearch security features.
 * 8) Refer to the following documentation for instructions.
 * 9) https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings
 * 10) Some typical security setting are:
 * 11)   xpack.security.enabled: true
 * 12)   xpack.security.http.ssl.enabled: true
 * 13)   xpack.security.http.ssl.key: /etc/elasticsearch/ssl/http-key.key
 * 14)   xpack.security.http.ssl.certificate: /etc/elasticsearch/ssl/http-cert.crt
 * 15) however, recall that meza (when deployed as a monolith) runs all services (like elasticsearch)
 * 16) behind an SSL terminating load balancer/proxy. This means that the elasticsearch service is
 * 17) not accessible to the network as such.
 * 18) However, we do need elastic search to work in FIPS mode so we need the folowing security settings per
 * 19) https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html#password-hashing-settings
 * 20) but note that the settings below only tell Elasticsearch to avoid non-FIPS approved algorithms.
 * 21) It does not configure the underlying JVM to run in FIPS mode. That must be addressed in the JVM config separately.
 * 22) Ref1: https://discuss.elastic.co/t/issues-trying-to-enable-fips-140-2-on-centos-8/300505
 * 23) Ref2: https://www.elastic.co/support/matrix#matrix_jvm
 * 24) Require only FIPS aproved algothithms
 * 1) However, we do need elastic search to work in FIPS mode so we need the folowing security settings per
 * 2) https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html#password-hashing-settings
 * 3) but note that the settings below only tell Elasticsearch to avoid non-FIPS approved algorithms.
 * 4) It does not configure the underlying JVM to run in FIPS mode. That must be addressed in the JVM config separately.
 * 5) Ref1: https://discuss.elastic.co/t/issues-trying-to-enable-fips-140-2-on-centos-8/300505
 * 6) Ref2: https://www.elastic.co/support/matrix#matrix_jvm
 * 7) Require only FIPS aproved algothithms
 * 1) Require only FIPS aproved algothithms
 * Simply setting  in   only tells Elasticsearch to avoid non-FIPS approved algorithms. It does not configure the underlying JVM to run in FIPS mode.
 * The only supported JVM is Oracle's JVM with the BouncyCastle FIPS provider per: https://www.elastic.co/support/matrix#matrix_jvm

Workaround to install Elasticsearch in FIPS mode
Found that  fails with error:



It did download the rpm before it failed so I was able to find the elasticsearch rpm file with:

which found:  in

and so then I was able to install it using rpm directly using:


 * tells rpm to install the specified package(s). If the package is not already installed, it will be installed on the system.
 * enables verbose output, providing more detailed information about the installation process.
 * displays hash marks (#) to indicate the progress of the installation.
 * tells RPM not to verify the package's header digest. The header digest is a checksum of the package metadata, and by disabling this check, RPM skips the verification process for the header.
 * instructs RPM not to verify the file digest of each file within the package. The file digest is a checksum of the individual files contained in the package, and by disabling this check, RPM skips the verification process for each file.

/Rich Revansx (talk) 18:47, 9 July 2023 (UTC)