Context
FIPS can be enabled at the Kernel and requires a reboot.Method
Steps:sudo fips-mode-setup --enable
Example output:
$ sudo fips-mode-setup --enable Kernel initramdisks are being regenerated. This might take some time. Setting system policy to FIPS Note: System-wide crypto policies are applied on application start-up. It is recommended to restart the system for the change of policies to fully take place. FIPS mode will be enabled. Please reboot the system for the setting to take effect.
Verification:
1) Check Boot image config:
cat /proc/cmdline
And check for fips=1 in the output:
$ cat /proc/cmdline BOOT_IMAGE=(hd0,msdos1)/boot/vmlinuz-4.18.0-448.el8.x86_64 root=UUID=a62c5b49-755e-41b0-9d34-de3f95e17532 ro no_timer_check console=tty0 console=ttyS0,115200n8 net.ifnames=0 biosdevname=0 elevator=noop fips=1
2) Check Kernel config:
sysctl crypto.fips_enabledcrypto.fips_enabled should be enabled:
$ sysctl crypto.fips_enabled crypto.fips_enabled = 1
3) Check openssl version is FIPS compliant:
openssl versionFIPS in command output:
$ openssl version OpenSSL 1.1.1k FIPS 25 Mar 2021
Notes
Aerospike Federal Edition version would require a FIPS enabled system.Non Federal Aerospike server version will require Openssl < 3.0