Talk:Meza/Common Meza Test Environment (CMTE)

How to enable FIPS Mode at Boot
For Meza users who need to run their systems in FIPS Mode at boot, here is the command to do so:

Note - Meza does not currently deploy properly in this mode. The current known deployment issues are:


 * Elasticsearch service fails to start due to not having an approved cipher for the service user password.

Revansx (talk) 19:57, 8 July 2023 (UTC)

Elasticsearch and FIPS mode
As of 2023-07-09 Meza does not support FIPS mode due to some issue with Elasticsearch.

We are working to solve this problem. Current efforts are based on guidance from https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html#password-hashing-settings

which recommends configuring setting  to true in Elasticsearch.yml

More soon Revansx (talk) 14:54, 9 July 2023 (UTC)

update 2023-07-09
found some good insights here: https://discuss.elastic.co/t/issues-trying-to-enable-fips-140-2-on-centos-8/300505

specifically a security section for elasticsearch.yml as: xpack.security.enabled: true xpack.security.http.ssl.enabled: true xpack.security.http.ssl.key: /etc/elasticsearch/ssl/http-key.key xpack.security.http.ssl.certificate: /etc/elasticsearch/ssl/http-cert.crt
 * 1) -- Security --
 * 2)                                 *** WARNING ***
 * 3) Elasticsearch security features are not enabled by default.
 * 4) These features are free, but require configuration changes to enable them.
 * 5) This means that users don’t have to provide credentials and can get full access
 * 6) to the cluster. Network connections are also not encrypted.
 * 7) To protect your data, we strongly encourage you to enable the Elasticsearch security features.
 * 8) Refer to the following documentation for instructions.
 * 9) https://www.elastic.co/guide/en/elasticsearch/reference/7.16/configuring-stack-security.html
 * 1) To protect your data, we strongly encourage you to enable the Elasticsearch security features.
 * 2) Refer to the following documentation for instructions.
 * 3) https://www.elastic.co/guide/en/elasticsearch/reference/7.16/configuring-stack-security.html
 * 1) https://www.elastic.co/guide/en/elasticsearch/reference/7.16/configuring-stack-security.html

xpack.security.fips_mode.enabled: true xpack.security.authc.password_hashing.algorithm: pbkdf2_stretch and the user's comments that: and more soon Revansx (talk) 16:51, 9 July 2023 (UTC)
 * Simply setting  in   only tells Elasticsearch to avoid non-FIPS approved algorithms. It does not configure the underlying JVM to run in FIPS mode.
 * The only supported JVM is Oracle's JVM with the BouncyCastle FIPS provider per: https://www.elastic.co/support/matrix#matrix_jvm