Talk:Meza/Common Meza Test Environment (CMTE)

How to enable FIPS Mode at Boot
For Meza users who need to run their systems in FIPS Mode at boot, here is the command to do so:

Note - Meza does not currently deploy properly in this mode. The current known deployment issues are:


 * Elasticsearch service fails to start due to not having an approved cipher for the service user password.

Revansx (talk) 19:57, 8 July 2023 (UTC)

Elasticsearch and FIPS mode
As of 2023-07-09 Meza does not support FIPS mode due to some issue with Elasticsearch.

We are working to solve this problem. Current efforts are based on guidance from https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html#password-hashing-settings

which recommends configuring setting  to true in Elasticsearch.yml

More soon Revansx (talk) 14:54, 9 July 2023 (UTC)

update 2023-07-09
found some good insights here: https://discuss.elastic.co/t/issues-trying-to-enable-fips-140-2-on-centos-8/300505

specifically a security section for elasticsearch.yml as: xpack.security.fips_mode.enabled: true xpack.security.authc.password_hashing.algorithm: pbkdf2_stretch and the user's comments that: and more soon Revansx (talk) 16:51, 9 July 2023 (UTC)
 * 1) -- Security --
 * 2)                                 *** WARNING ***
 * 3) Elasticsearch security features are not enabled by default.
 * 4) These features are free, but require configuration changes to enable them.
 * 5) This means that users don’t have to provide credentials and can get full access
 * 6) to the cluster. Network connections are also not encrypted.
 * 7) To protect your data, we strongly encourage you to enable the Elasticsearch security features.
 * 8) Refer to the following documentation for instructions.
 * 9) https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings
 * 10) Some typical security setting are:
 * 11)   xpack.security.enabled: true
 * 12)   xpack.security.http.ssl.enabled: true
 * 13)   xpack.security.http.ssl.key: /etc/elasticsearch/ssl/http-key.key
 * 14)   xpack.security.http.ssl.certificate: /etc/elasticsearch/ssl/http-cert.crt
 * 15) however, recall that meza (when deployed as a monolith) runs all services (like elasticsearch)
 * 16) behind an SSL terminating load balancer/proxy. This means that the elasticsearch service is
 * 17) not accessible to the network as such.
 * 18) However, we do need elastic search to work in FIPS mode so we need the folowing security settings per
 * 19) https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html#password-hashing-settings
 * 20) but note that the settings below only tell Elasticsearch to avoid non-FIPS approved algorithms.
 * 21) It does not configure the underlying JVM to run in FIPS mode. That must be addressed in the JVM config separately.
 * 22) Ref1: https://discuss.elastic.co/t/issues-trying-to-enable-fips-140-2-on-centos-8/300505
 * 23) Ref2: https://www.elastic.co/support/matrix#matrix_jvm
 * 24) Require only FIPS aproved algothithms
 * 1) However, we do need elastic search to work in FIPS mode so we need the folowing security settings per
 * 2) https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html#password-hashing-settings
 * 3) but note that the settings below only tell Elasticsearch to avoid non-FIPS approved algorithms.
 * 4) It does not configure the underlying JVM to run in FIPS mode. That must be addressed in the JVM config separately.
 * 5) Ref1: https://discuss.elastic.co/t/issues-trying-to-enable-fips-140-2-on-centos-8/300505
 * 6) Ref2: https://www.elastic.co/support/matrix#matrix_jvm
 * 7) Require only FIPS aproved algothithms
 * 1) Require only FIPS aproved algothithms
 * Simply setting  in   only tells Elasticsearch to avoid non-FIPS approved algorithms. It does not configure the underlying JVM to run in FIPS mode.
 * The only supported JVM is Oracle's JVM with the BouncyCastle FIPS provider per: https://www.elastic.co/support/matrix#matrix_jvm

Workaround to install Elasticsearch in FIPS mode
Found that  fails with error:



It did download the rpm before it failed so I was able to find the elasticsearch rpm file with:

which found:  in

and so then I was able to install it using rpm directly using:


 * tells rpm to install the specified package(s). If the package is not already installed, it will be installed on the system.
 * enables verbose output, providing more detailed information about the installation process.
 * displays hash marks (#) to indicate the progress of the installation.
 * tells RPM not to verify the package's header digest. The header digest is a checksum of the package metadata, and by disabling this check, RPM skips the verification process for the header.
 * instructs RPM not to verify the file digest of each file within the package. The file digest is a checksum of the individual files contained in the package, and by disabling this check, RPM skips the verification process for each file.

/Rich Revansx (talk) 18:47, 9 July 2023 (UTC)