Re: [Freeipa-users] IPA and FIPS 140-2

2016-08-09 Thread Martin Kosek 
Ok, good! BTW, I opened the IPA and FIPS bug to the public, so that everyone
can track the progress:

https://bugzilla.redhat.com/show_bug.cgi?id=1125174

Martin

On 08/08/2016 04:24 PM, Michael Sean Conley wrote:
> Yep, did so right away.  and yes, this is for the future state of IPA.
> 
> 
> *Michael Sean Conley*
> Hardware/Infrastructure
> Intelligence, Information and Services
> *Raytheon Company*
> 972-643-9887 (office)
> 
> michael.sean.con...@raytheon.com
> 
> Inactive hide details for Martin Kosek ---08/05/2016 06:33:27 AM---Are you now
> asking about when upstream version is FIPS complMartin Kosek ---08/05/2016
> 06:33:27 AM---Are you now asking about when upstream version is FIPS compliant
> or some downstream distribution? If
> 
> From: Martin Kosek <mko...@redhat.com>
> To: Michael Sean Conley <michael.sean.con...@raytheon.com>, Rob Crittenden
> <rcrit...@redhat.com>
> Cc: freeipa-users@redhat.com
> Date: 08/05/2016 06:33 AM
> Subject: Re: [Freeipa-users] IPA and FIPS 140-2
> 
> ---
> 
> 
> 
> Are you now asking about when upstream version is FIPS compliant or some
> downstream distribution? If you are asking about RHEL, as indicated by
> https://bugzilla.redhat.com/show_bug.cgi?id=1125174
> the bug is still in a NEW state. Given the state of RHEL-7.3 life cycle, it is
> too late to add it there.
> 
> However, as Rob mentioned, it would really great if you file a support case 
> (if
> we are talking about RHEL) and get it linked to that bug. Due to the interest,
> it is already high in the RHEL-7.4 considerations, but adding +1 won't hurt 
> and
> you may also receive updates on development status.
> 
> Martin
> 
> On 08/04/2016 06:40 PM, Michael Sean Conley wrote:
>> Is there any indication of a timeframe for it to become FIPS compliant?  If 
>> we
>> are talking weeks, rather than years...
>>
>> *Michael Sean Conley*
>>
>>
>> Inactive hide details for Rob Crittenden ---08/04/2016 11:37:23 AM---Michael
>> Sean Conley wrote: > Does ANYONE have any experienRob Crittenden 
>> ---08/04/2016
>> 11:37:23 AM---Michael Sean Conley wrote: > Does ANYONE have any experience
>> getting IPA to work with FIPS?
>>
>> From: Rob Crittenden <rcrit...@redhat.com>
>> To: Michael Sean Conley <michael.sean.con...@raytheon.com>,
>> freeipa-users@redhat.com
>> Date: 08/04/2016 11:37 AM
>> Subject: Re: [Freeipa-users] IPA and FIPS 140-2
>>
>> ---
>>
>>
>>
>> Michael Sean Conley wrote:
>>> Does ANYONE have any experience getting IPA to work with FIPS?
>>>
>>> We're trying desperately to get this going, as we have some requirements
>>> that the Identity Management Tool we choose must be FIPS 140-2 compliant.
>>
>> No, it doesn't work in FIPS mode yet. If you open a support case with
>> Red Hat your case can be added to
>> https://bugzilla.redhat.com/show_bug.cgi?id=1125174
>>
>> While most, if not all, of the individual components can run in FIPS
>> mode there are a lot of moving parts to coordinate to ensure they comply
>> with the FIPS Security Policy and to handle some corner cases in the
>> management framework.
>>
>> rob
>>
>>
>>
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA and FIPS 140-2

2016-08-08 Thread Michael Sean Conley 

Yep, did so right away.  and yes, this is for the future state of IPA.


Michael Sean Conley
Hardware/Infrastructure
Intelligence, Information and Services
Raytheon Company
972-643-9887 (office)

michael.sean.con...@raytheon.com



From:   Martin Kosek <mko...@redhat.com>
To: Michael Sean Conley <michael.sean.con...@raytheon.com>, Rob
Crittenden <rcrit...@redhat.com>
Cc: freeipa-users@redhat.com
Date:   08/05/2016 06:33 AM
Subject:    Re: [Freeipa-users] IPA and FIPS 140-2



Are you now asking about when upstream version is FIPS compliant or some
downstream distribution? If you are asking about RHEL, as indicated by
https://bugzilla.redhat.com/show_bug.cgi?id=1125174
the bug is still in a NEW state. Given the state of RHEL-7.3 life cycle, it
is
too late to add it there.

However, as Rob mentioned, it would really great if you file a support case
(if
we are talking about RHEL) and get it linked to that bug. Due to the
interest,
it is already high in the RHEL-7.4 considerations, but adding +1 won't hurt
and
you may also receive updates on development status.

Martin

On 08/04/2016 06:40 PM, Michael Sean Conley wrote:
> Is there any indication of a timeframe for it to become FIPS compliant?
If we
> are talking weeks, rather than years...
>
> *Michael Sean Conley*
>
>
> Inactive hide details for Rob Crittenden ---08/04/2016 11:37:23
AM---Michael
> Sean Conley wrote: > Does ANYONE have any experienRob Crittenden
---08/04/2016
> 11:37:23 AM---Michael Sean Conley wrote: > Does ANYONE have any
experience
> getting IPA to work with FIPS?
>
> From: Rob Crittenden <rcrit...@redhat.com>
> To: Michael Sean Conley <michael.sean.con...@raytheon.com>,
> freeipa-users@redhat.com
> Date: 08/04/2016 11:37 AM
> Subject: Re: [Freeipa-users] IPA and FIPS 140-2
>
>
---

>
>
>
> Michael Sean Conley wrote:
>> Does ANYONE have any experience getting IPA to work with FIPS?
>>
>> We're trying desperately to get this going, as we have some requirements
>> that the Identity Management Tool we choose must be FIPS 140-2
compliant.
>
> No, it doesn't work in FIPS mode yet. If you open a support case with
> Red Hat your case can be added to
> https://bugzilla.redhat.com/show_bug.cgi?id=1125174
>
> While most, if not all, of the individual components can run in FIPS
> mode there are a lot of moving parts to coordinate to ensure they comply
> with the FIPS Security Policy and to handle some corner cases in the
> management framework.
>
> rob
>
>
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA and FIPS 140-2

2016-08-05 Thread Martin Kosek 
Are you now asking about when upstream version is FIPS compliant or some
downstream distribution? If you are asking about RHEL, as indicated by
https://bugzilla.redhat.com/show_bug.cgi?id=1125174
the bug is still in a NEW state. Given the state of RHEL-7.3 life cycle, it is
too late to add it there.

However, as Rob mentioned, it would really great if you file a support case (if
we are talking about RHEL) and get it linked to that bug. Due to the interest,
it is already high in the RHEL-7.4 considerations, but adding +1 won't hurt and
you may also receive updates on development status.

Martin

On 08/04/2016 06:40 PM, Michael Sean Conley wrote:
> Is there any indication of a timeframe for it to become FIPS compliant?  If we
> are talking weeks, rather than years...
> 
> *Michael Sean Conley*
> 
> 
> Inactive hide details for Rob Crittenden ---08/04/2016 11:37:23 AM---Michael
> Sean Conley wrote: > Does ANYONE have any experienRob Crittenden ---08/04/2016
> 11:37:23 AM---Michael Sean Conley wrote: > Does ANYONE have any experience
> getting IPA to work with FIPS?
> 
> From: Rob Crittenden <rcrit...@redhat.com>
> To: Michael Sean Conley <michael.sean.con...@raytheon.com>,
> freeipa-users@redhat.com
> Date: 08/04/2016 11:37 AM
> Subject: Re: [Freeipa-users] IPA and FIPS 140-2
> 
> ---
> 
> 
> 
> Michael Sean Conley wrote:
>> Does ANYONE have any experience getting IPA to work with FIPS?
>>
>> We're trying desperately to get this going, as we have some requirements
>> that the Identity Management Tool we choose must be FIPS 140-2 compliant.
> 
> No, it doesn't work in FIPS mode yet. If you open a support case with
> Red Hat your case can be added to
> https://bugzilla.redhat.com/show_bug.cgi?id=1125174
> 
> While most, if not all, of the individual components can run in FIPS
> mode there are a lot of moving parts to coordinate to ensure they comply
> with the FIPS Security Policy and to handle some corner cases in the
> management framework.
> 
> rob
> 
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA and FIPS 140-2

2016-08-04 Thread Rob Crittenden 

Anon Lister wrote:

I'd also like to throw in that the requirements you are facing are
likely requiring FIPS Certified, not just compliant, as I'm somewhat
familiar with them. (800-53 or 800-171)

Essentially it will have to fall back on the FIPS compliant openssl
implementation, however I believe there are other crypto routines used
in free IPA that are used to protect the confidentiality of information?
Can we get a response from devs on that?


IPA mostly uses NSS for its crypto.

rob


The crypto only has to be FIPS if protecting confidentiality is its use.
Crypto protecting integrity only does not need to be FIPS.


On Aug 4, 2016 9:27 AM, "Michael Sean Conley"
> wrote:

Does ANYONE have any experience getting IPA to work with FIPS?

We're trying desperately to get this going, as we have some
requirements that the Identity Management Tool we choose must be
FIPS 140-2 compliant.

GGHHH

*Michael Sean Conley*


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users

Go to http://freeipa.org for more info on the project






--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA and FIPS 140-2

2016-08-04 Thread Michael Sean Conley 

Is there any indication of a timeframe for it to become FIPS compliant?  If
we are talking weeks, rather than years...

Michael Sean Conley




From:   Rob Crittenden <rcrit...@redhat.com>
To: Michael Sean Conley <michael.sean.con...@raytheon.com>,
freeipa-users@redhat.com
Date:   08/04/2016 11:37 AM
Subject:    Re: [Freeipa-users] IPA and FIPS 140-2



Michael Sean Conley wrote:
> Does ANYONE have any experience getting IPA to work with FIPS?
>
> We're trying desperately to get this going, as we have some requirements
> that the Identity Management Tool we choose must be FIPS 140-2 compliant.

No, it doesn't work in FIPS mode yet. If you open a support case with
Red Hat your case can be added to
https://bugzilla.redhat.com/show_bug.cgi?id=1125174

While most, if not all, of the individual components can run in FIPS
mode there are a lot of moving parts to coordinate to ensure they comply
with the FIPS Security Policy and to handle some corner cases in the
management framework.

rob
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA and FIPS 140-2

2016-08-04 Thread Anon Lister 
Sorry, certified openssl implementation*

On Aug 4, 2016 9:38 AM, "Anon Lister"  wrote:

> I'd also like to throw in that the requirements you are facing are likely
> requiring FIPS Certified, not just compliant, as I'm somewhat familiar with
> them. (800-53 or 800-171)
>
> Essentially it will have to fall back on the FIPS compliant openssl
> implementation, however I believe there are other crypto routines used in
> free IPA that are used to protect the confidentiality of information? Can
> we get a response from devs on that?
>
> The crypto only has to be FIPS if protecting confidentiality is its use.
> Crypto protecting integrity only does not need to be FIPS.
>
> On Aug 4, 2016 9:27 AM, "Michael Sean Conley" <
> michael.sean.con...@raytheon.com> wrote:
>
> Does ANYONE have any experience getting IPA to work with FIPS?
>
> We're trying desperately to get this going, as we have some requirements
> that the Identity Management Tool we choose must be FIPS 140-2 compliant.
>
> GGHHH
>
> *Michael Sean Conley*
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA and FIPS 140-2

2016-08-04 Thread Anon Lister 
I'd also like to throw in that the requirements you are facing are likely
requiring FIPS Certified, not just compliant, as I'm somewhat familiar with
them. (800-53 or 800-171)

Essentially it will have to fall back on the FIPS compliant openssl
implementation, however I believe there are other crypto routines used in
free IPA that are used to protect the confidentiality of information? Can
we get a response from devs on that?

The crypto only has to be FIPS if protecting confidentiality is its use.
Crypto protecting integrity only does not need to be FIPS.

On Aug 4, 2016 9:27 AM, "Michael Sean Conley" <
michael.sean.con...@raytheon.com> wrote:

Does ANYONE have any experience getting IPA to work with FIPS?

We're trying desperately to get this going, as we have some requirements
that the Identity Management Tool we choose must be FIPS 140-2 compliant.

GGHHH

*Michael Sean Conley*

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA and FIPS 140-2

2016-08-04 Thread Rob Crittenden 

Michael Sean Conley wrote:

Does ANYONE have any experience getting IPA to work with FIPS?

We're trying desperately to get this going, as we have some requirements
that the Identity Management Tool we choose must be FIPS 140-2 compliant.


No, it doesn't work in FIPS mode yet. If you open a support case with 
Red Hat your case can be added to 
https://bugzilla.redhat.com/show_bug.cgi?id=1125174


While most, if not all, of the individual components can run in FIPS 
mode there are a lot of moving parts to coordinate to ensure they comply 
with the FIPS Security Policy and to handle some corner cases in the 
management framework.


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project