Uploaded image for project: 'ZooKeeper'
  1. ZooKeeper
  2. ZOOKEEPER-4832

Better guidance on how to configure zookeeper for FIPS

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Minor
    • Resolution: Unresolved
    • None
    • None
    • documentation
    • None

    Description

      Hi there.

      We're attempting to work out how to produce a zookeeper package and image which is FIPS compliant.

      We've found multiple references in the code base to `zookeeper.fips-mode`, however on closer inspection this is very misleading, as it is not enabling any FIPS specific settings, neither does it enable zookeeper for FIPS mode. Instead, it just looks to disable 'ZKTrustManager'.

      It would be great to get some guidance here, and possibly an article / docs update with configuration details.

      For example, when working with Java applications, there are usually multiple layers to building a FIPS image, including:

      • Configuring OpenSSL for FIPS mode
      • Configuring a FIPS compliant JDK/JRE on the host, such as bcfips (FIPS BouncyCastle)
      • Creating a suitable java.security file to restrict usage to non-approved FIPS providers and crypto algorithms
      • Updating the CLASSPATH to reference the bcfips jars
      • Refactoring the code base - removing any references to non-FIPS crypto usage, such as non-FIPS bouncycastle, and potentially any other crypto libs
      • Remove any usage of unapproved crypto algorithms (i.e des, md5 etc)

      Some questions:

      1. Do you have any more info you can share on how to properly configure zookeeper for FIPS?
      2. Zookeeper seems to reference bouncycastle in some tests - can these be ignored safely? Any other usage of non-FIPS bouncycastle elsewhere?
      3. Are there any other crypto libraries used which may be a concern?
      4. Are there any dependencies used which themselves use non-FIPS crypto?
      5. Are the references to non-approved crypto algorithms in critical path?

       

      Expanding on question 2 above, this is the only references i could seem to find for bouncycastle:

      ```

      zookeeper-server/src/test/java/org/apache/zookeeper/common/BaseX509ParameterizedTestCase.java
      zookeeper-server/src/test/java/org/apache/zookeeper/common/X509TestContext.java
      zookeeper-server/src/test/java/org/apache/zookeeper/common/X509TestHelpers.java

      ```

      Expanding on question 5:

      md5 usage:

      ```zookeeper-server/src/main/java/org/apache/zookeeper/server/ZooKeeperServer.java
      zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/DigestLoginModule.java
      zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/SaslServerCallbackHandler.java
      zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/auth/SaslQuorumServerCallbackHandler.java
      zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java

      ```

      des usage:

      ```

      zookeeper-server/src/test/java/org/apache/zookeeper/common/X509TestHelpers.java

      ```

       

      Attachments

        Activity

          People

            Unassigned Unassigned
            electricthunder Mark
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: