Mark created ZOOKEEPER-4832:
-------------------------------
Summary: Better guidance on how to configure zookeeper for FIPS
Key: ZOOKEEPER-4832
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4832
Project: ZooKeeper
Issue Type: Improvement
Components: documentation
Reporter: Mark
Hi there.
We're attempting to work out how to produce a zookeeper package and image which
is FIPS compliant.
We've found multiple references in the code base to `zookeeper.fips-mode`,
however on closer inspection this is very misleading, as it is not enabling any
FIPS specific settings, neither does it enable zookeeper for FIPS mode.
Instead, it just looks to disable 'ZKTrustManager'.
It would be great to get some guidance here, and possibly an article / docs
update with configuration details.
For example, when working with Java applications, there are usually multiple
layers to building a FIPS image, including:
* Configuring OpenSSL for FIPS mode
* Configuring a FIPS compliant JDK/JRE on the host, such as bcfips (FIPS
BouncyCastle)
* Creating a suitable java.security file to restrict usage to non-approved
FIPS providers and crypto algorithms
* Updating the CLASSPATH to reference the bcfips jars
* Refactoring the code base - removing any references to non-FIPS crypto
usage, such as non-FIPS bouncycastle, and potentially any other crypto libs
* Remove any usage of unapproved crypto algorithms (i.e des, md5 etc)
Some questions:
# Do you have any more info you can share on how to properly configure
zookeeper for FIPS?
# Zookeeper seems to reference bouncycastle in some tests - can these be
ignored safely? Any other usage of non-FIPS bouncycastle elsewhere?
# Are there any other crypto libraries used which may be a concern?
# Are there any dependencies used which themselves use non-FIPS crypto?
# Are the references to non-approved crypto algorithms in critical path?
{*}Expanding on question 2 above{*}, this is the only references i could seem
to find for bouncycastle:
```
zookeeper-server/src/test/java/org/apache/zookeeper/common/BaseX509ParameterizedTestCase.java
zookeeper-server/src/test/java/org/apache/zookeeper/common/X509TestContext.java
zookeeper-server/src/test/java/org/apache/zookeeper/common/X509TestHelpers.java
```
*Expanding on question 5:*
md5 usage:
```zookeeper-server/src/main/java/org/apache/zookeeper/server/ZooKeeperServer.java
zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/DigestLoginModule.java
zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/SaslServerCallbackHandler.java
zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/auth/SaslQuorumServerCallbackHandler.java
zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java
```
des usage:
```
zookeeper-server/src/test/java/org/apache/zookeeper/common/X509TestHelpers.java
```
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
