Implement FIPS on the Server

To implement FIPS on the Vertica server, you must: Generate a secure SSL certificate to establish a secure connection to the client.

Require FIPS Parameter

Upon startup Vertica sets the RequireFIPS configuration parameter on the server to reflect the FIPS state of the system: 1 if FIPS is enabled and 0 if FIPS is disabled.

The value of RequireFIPS matches the value of crypto.fips_enabled file.

Depending on the FIPS state, the following behaviors can occur:

  • If the file /proc/sys/crypto/fips_enabled exists and contains a 1 (FIPS-enabled), Vertica sets RequireFIPS to 1.
  • If the file /proc/sys/crypto/fips_enabled does not exist, or exists and contains a 0 (non-FIPS), Vertica automatically sets RequireFIPS to 0.
  • If the FIPS state of a node, as determined from the existence of /proc/sys/crypto/fips_enabled, differs from the state received from the cluster initiator, the node fails. This behavior prevents the creation of clusters of mixed FIPS and non-FIPS systems.

If you attempt to restore a FIPS-enabled node to a non-FIPS cluster, the restore process fails.

Secure Client-Server Connection

Vertica uses TLS 1.2 to support the server-client connection for a FIPS-enabled system. This specification includes using a server certificate issued by a Certificate Authority.

Using TLS 1.2 prevents you from using the MD5 algorithm for hashing passwords. Vertica accepts only AuthenticatedClearTextPasswords hashed by SHA-512. For details on these options, see Hash Authentication.

For instructions on generating a self-signed certificate see Generating TLS Certificates and Keys.

After generating a certificate, you need to distribute it to all hosts on the cluster. See Copying Certificates and Keys to Configuration Files. This distribution stores the certificate in the SSLCertificate parameter and the private key in the SSLPrivateKey parameter. For more information see Security Parameters.