FIPS Compliance for the Vertica Server
To make Vertica FIPS-compliant, you must:
- Set the RequireFIPS parameter to 1.
- Hash your passwords with SHA-512. See Hash Authentication for details.
- Generate a signed TLS certificate to establish a secure connection to the client.
RequireFIPS Parameter
Vertica sets the RequireFIPS configuration parameter on the server on startup to reflect the state of FIPS on the system: 1 if FIPS is enabled and 0 if FIPS is disabled.
The value of RequireFIPS matches the value of crypto.fips_enabled file.
Vertica sets the RequireFIPS parameter based on the contents
of crypto.fips_enabled:
- If the file
/proc/sys/crypto/fips_enabledexists and contains a 1 (FIPS-enabled), Vertica sets RequireFIPS to 1. - If the file
/proc/sys/crypto/fips_enableddoes not exist, or exists and contains a 0 (non-FIPS), Vertica automatically sets RequireFIPS to 0. - If the FIPS state of a node, as determined from the existence of
/proc/sys/crypto/fips_enabled, differs from the state received from the cluster initiator, the node fails. This behavior prevents the creation of clusters of mixed FIPS and non-FIPS systems.
If you attempt to restore a FIPS-enabled node to a non-FIPS cluster, the restore will fail.
Secure Client-Server Connection
It's important to secure client-server connections with TLS. For instructions on setting up client-server TLS, see Configuring Client-server TLS.
FIPS-Compliant AWS Endpoints
To configure AWS to use a FIPS-compliant S3 Endpoint, set the following S3 Parameters:
AWSEndpoint = s3-fips.dualstack.us-east-1.amazonaws.com S3EnableVirtualAddressing = 1