[jira] [Commented] (ZOOKEEPER-4832) Better guidance on how to configure zookeeper for FIPS

[Andor Molnar (Jira)]

    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-4832?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17877142#comment-17877142
 ] 

Andor Molnar commented on ZOOKEEPER-4832:
-----------------------------------------

Hi [~electricthunder] ,

Thanks for opening this Jira for discussion. Let me try to answer your 
questions here:

I agree that currently *zookeeper.fips-mode* setting only toggles the usage of 
{_}ZKTrustManager{_}, because that was the first biggest obstacle against 
running ZK in FIPS-mode, so I had to quickly disable it. We could certainly 
expand the coverage of that switch for other meaningful changes.

It's important to note that packaging of ZooKeeper or releasing ZooKeeper 
packages is not in the scope of the work of Apache ZooKeeper Community. As an 
ASF project team, we only release the source code of the product as it is with 
the documentation and some examples. We do not and will never provide guidance 
on how to configure your system for running in FIPS-mode. As a consequence, let 
me skip your questions about configurations outside of ZooKeeper source code.
{quote} * Refactoring the code base - removing any references to non-FIPS 
crypto usage, such as non-FIPS bouncycastle, and potentially any other crypto 
libs
 * Remove any usage of unapproved crypto algorithms (i.e des, md5 etc){quote}
Great idea. I highly encourage you to provide pull requests covering these 
changes for the community to review if you have the bandwidth.
{quote}{*}Expanding on question 2 above{*}, this is the only references i could 
seem to find for bouncycastle:
{quote}
THis should not be a blocker for FIPS, right?

Test classes are not built into the runtime.
{quote}*Expanding on question 5:*
{quote}
Could you please provide a patch to optionally remove the usage of MD5?

> Better guidance on how to configure zookeeper for FIPS
> ------------------------------------------------------
>
>                 Key: ZOOKEEPER-4832
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4832
>             Project: ZooKeeper
>          Issue Type: Improvement
>          Components: documentation
>            Reporter: Mark
>            Priority: Minor
>
> Hi there.
> We're attempting to work out how to produce a zookeeper package and image 
> which is FIPS compliant.
> We've found multiple references in the code base to `zookeeper.fips-mode`, 
> however on closer inspection this is very misleading, as it is not enabling 
> any FIPS specific settings, neither does it enable zookeeper for FIPS mode. 
> Instead, it just looks to disable 'ZKTrustManager'.
> It would be great to get some guidance here, and possibly an article / docs 
> update with configuration details.
> For example, when working with Java applications, there are usually multiple 
> layers to building a FIPS image, including:
>  * Configuring OpenSSL for FIPS mode
>  * Configuring a FIPS compliant JDK/JRE on the host, such as bcfips (FIPS 
> BouncyCastle)
>  * Creating a suitable java.security file to restrict usage to non-approved 
> FIPS providers and crypto algorithms
>  * Updating the CLASSPATH to reference the bcfips jars
>  * Refactoring the code base - removing any references to non-FIPS crypto 
> usage, such as non-FIPS bouncycastle, and potentially any other crypto libs
>  * Remove any usage of unapproved crypto algorithms (i.e des, md5 etc)
> Some questions:
>  # Do you have any more info you can share on how to properly configure 
> zookeeper for FIPS?
>  # Zookeeper seems to reference bouncycastle in some tests - can these be 
> ignored safely? Any other usage of non-FIPS bouncycastle elsewhere?
>  # Are there any other crypto libraries used which may be a concern?
>  # Are there any dependencies used which themselves use non-FIPS crypto?
>  # Are the references to non-approved crypto algorithms in critical path?
>  
> {*}Expanding on question 2 above{*}, this is the only references i could seem 
> to find for bouncycastle:
> ```
> zookeeper-server/src/test/java/org/apache/zookeeper/common/BaseX509ParameterizedTestCase.java
> zookeeper-server/src/test/java/org/apache/zookeeper/common/X509TestContext.java
> zookeeper-server/src/test/java/org/apache/zookeeper/common/X509TestHelpers.java
> ```
> *Expanding on question 5:*
> md5 usage:
> ```zookeeper-server/src/main/java/org/apache/zookeeper/server/ZooKeeperServer.java
> zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/DigestLoginModule.java
> zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/SaslServerCallbackHandler.java
> zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/auth/SaslQuorumServerCallbackHandler.java
> zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java
> ```
> des usage:
> ```
> zookeeper-server/src/test/java/org/apache/zookeeper/common/X509TestHelpers.java
> ```
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)