[
https://issues.apache.org/jira/browse/ZOOKEEPER-4832?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17900740#comment-17900740
]
Andor Molnar commented on ZOOKEEPER-4832:
-----------------------------------------
Hi [~electricthunder]
I'm not sure if you're still monitoring this effort, but I recently created a
pull request to avoid usage of DIGEST-MD5 sasl mech in FIPS mode: ZOOKEEPER-4889
It might be interesting for you. Anything you think outstanding for Fips
support would be useful.
> Better guidance on how to configure zookeeper for FIPS
> ------------------------------------------------------
>
> Key: ZOOKEEPER-4832
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4832
> Project: ZooKeeper
> Issue Type: Improvement
> Components: documentation
> Reporter: Mark
> Assignee: Andor Molnar
> Priority: Minor
>
> Hi there.
> We're attempting to work out how to produce a zookeeper package and image
> which is FIPS compliant.
> We've found multiple references in the code base to `zookeeper.fips-mode`,
> however on closer inspection this is very misleading, as it is not enabling
> any FIPS specific settings, neither does it enable zookeeper for FIPS mode.
> Instead, it just looks to disable 'ZKTrustManager'.
> It would be great to get some guidance here, and possibly an article / docs
> update with configuration details.
> For example, when working with Java applications, there are usually multiple
> layers to building a FIPS image, including:
> * Configuring OpenSSL for FIPS mode
> * Configuring a FIPS compliant JDK/JRE on the host, such as bcfips (FIPS
> BouncyCastle)
> * Creating a suitable java.security file to restrict usage to non-approved
> FIPS providers and crypto algorithms
> * Updating the CLASSPATH to reference the bcfips jars
> * Refactoring the code base - removing any references to non-FIPS crypto
> usage, such as non-FIPS bouncycastle, and potentially any other crypto libs
> * Remove any usage of unapproved crypto algorithms (i.e des, md5 etc)
> Some questions:
> # Do you have any more info you can share on how to properly configure
> zookeeper for FIPS?
> # Zookeeper seems to reference bouncycastle in some tests - can these be
> ignored safely? Any other usage of non-FIPS bouncycastle elsewhere?
> # Are there any other crypto libraries used which may be a concern?
> # Are there any dependencies used which themselves use non-FIPS crypto?
> # Are the references to non-approved crypto algorithms in critical path?
>
> {*}Expanding on question 2 above{*}, this is the only references i could seem
> to find for bouncycastle:
> ```
> zookeeper-server/src/test/java/org/apache/zookeeper/common/BaseX509ParameterizedTestCase.java
> zookeeper-server/src/test/java/org/apache/zookeeper/common/X509TestContext.java
> zookeeper-server/src/test/java/org/apache/zookeeper/common/X509TestHelpers.java
> ```
> *Expanding on question 5:*
> md5 usage:
> ```zookeeper-server/src/main/java/org/apache/zookeeper/server/ZooKeeperServer.java
> zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/DigestLoginModule.java
> zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/SaslServerCallbackHandler.java
> zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/auth/SaslQuorumServerCallbackHandler.java
> zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java
> ```
> des usage:
> ```
> zookeeper-server/src/test/java/org/apache/zookeeper/common/X509TestHelpers.java
> ```
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
