Mark created ZOOKEEPER-4832: ------------------------------- Summary: Better guidance on how to configure zookeeper for FIPS Key: ZOOKEEPER-4832 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4832 Project: ZooKeeper Issue Type: Improvement Components: documentation Reporter: Mark
Hi there. We're attempting to work out how to produce a zookeeper package and image which is FIPS compliant. We've found multiple references in the code base to `zookeeper.fips-mode`, however on closer inspection this is very misleading, as it is not enabling any FIPS specific settings, neither does it enable zookeeper for FIPS mode. Instead, it just looks to disable 'ZKTrustManager'. It would be great to get some guidance here, and possibly an article / docs update with configuration details. For example, when working with Java applications, there are usually multiple layers to building a FIPS image, including: * Configuring OpenSSL for FIPS mode * Configuring a FIPS compliant JDK/JRE on the host, such as bcfips (FIPS BouncyCastle) * Creating a suitable java.security file to restrict usage to non-approved FIPS providers and crypto algorithms * Updating the CLASSPATH to reference the bcfips jars * Refactoring the code base - removing any references to non-FIPS crypto usage, such as non-FIPS bouncycastle, and potentially any other crypto libs * Remove any usage of unapproved crypto algorithms (i.e des, md5 etc) Some questions: # Do you have any more info you can share on how to properly configure zookeeper for FIPS? # Zookeeper seems to reference bouncycastle in some tests - can these be ignored safely? Any other usage of non-FIPS bouncycastle elsewhere? # Are there any other crypto libraries used which may be a concern? # Are there any dependencies used which themselves use non-FIPS crypto? # Are the references to non-approved crypto algorithms in critical path? {*}Expanding on question 2 above{*}, this is the only references i could seem to find for bouncycastle: ``` zookeeper-server/src/test/java/org/apache/zookeeper/common/BaseX509ParameterizedTestCase.java zookeeper-server/src/test/java/org/apache/zookeeper/common/X509TestContext.java zookeeper-server/src/test/java/org/apache/zookeeper/common/X509TestHelpers.java ``` *Expanding on question 5:* md5 usage: ```zookeeper-server/src/main/java/org/apache/zookeeper/server/ZooKeeperServer.java zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/DigestLoginModule.java zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/SaslServerCallbackHandler.java zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/auth/SaslQuorumServerCallbackHandler.java zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java ``` des usage: ``` zookeeper-server/src/test/java/org/apache/zookeeper/common/X509TestHelpers.java ``` -- This message was sent by Atlassian Jira (v8.20.10#820010)