FIPS Compliance for the Vertica Server

To make Vertica FIPS-compliant, you must:

  • Set the RequireFIPS parameter to 1.
  • Hash your passwords with SHA-512. See Hash Authentication for details.
  • Generate a signed TLS certificate to establish a secure connection to the client.

RequireFIPS Parameter

Vertica sets the RequireFIPS configuration parameter on the server on startup to reflect the state of FIPS on the system: 1 if FIPS is enabled and 0 if FIPS is disabled.

The value of RequireFIPS matches the value of crypto.fips_enabled file.

Vertica sets the RequireFIPS parameter based on the contents of crypto.fips_enabled:

  • If the file /proc/sys/crypto/fips_enabled exists and contains a 1 (FIPS-enabled), Vertica sets RequireFIPS to 1.
  • If the file /proc/sys/crypto/fips_enabled does not exist, or exists and contains a 0 (non-FIPS), Vertica automatically sets RequireFIPS to 0.
  • If the FIPS state of a node, as determined from the existence of /proc/sys/crypto/fips_enabled, differs from the state received from the cluster initiator, the node fails. This behavior prevents the creation of clusters of mixed FIPS and non-FIPS systems.

If you attempt to restore a FIPS-enabled node to a non-FIPS cluster, the restore will fail.

Secure Client-Server Connection

It's important to secure client-server connections with TLS. For instructions on setting up client-server TLS, see Configuring Client-server TLS.

FIPS-Compliant AWS Endpoints

To configure AWS to use a FIPS-compliant S3 Endpoint, set the following S3 Parameters:

AWSEndpoint =
S3EnableVirtualAddressing = 1