Implement FIPS on the Server

To implement FIPS on the Vertica server, you must:

  • Generate a secure SSL certificate to establish a secure connection to the client.
  • If necessary, set the LD_LIBRARY_PATH environment variable to locate the OpenSSL libraries.

Require FIPS Parameter

Upon startup Vertica sets the RequireFIPS configuration parameter on the server to reflect the FIPS state of the system: 1 if FIPS is enabled and 0 if FIPS is disabled.

The value of RequireFIPS matches the value of crypto.fips_enabled file.

Depending on the FIPS state, the following behaviors can occur:

  • If the file /proc/sys/crypto/fips_enabled exists and contains a 1 (FIPS-enabled), Vertica sets RequireFIPS to 1.
  • If the file /proc/sys/crypto/fips_enabled does not exist, or exists and contains a 0 (non-FIPS), Vertica automatically sets RequireFIPS to 0.
  • If the FIPS state of a node, as determined from the existence of /proc/sys/crypto/fips_enabled, differs from the state received from the cluster initiator, the node fails. This behavior prevents the creation of clusters of mixed FIPS and non-FIPS systems.

If you attempt to restore a FIPS-enabled node to a non-FIPS cluster, the restore process fails.

Locate OpenSSL Libraries

Vertica must find and load the and libraries from one of the supported OpenSSL versions. To do so, it searches the system directory where the libraries reside. If the SSL libraries are not found, Vertica uses its own OpenSSL libraries that reside under /opt/vertica/lib.

If you do not use admintools to start Vertica, or have conflicting libraries in your system, you must manually set LD_LIBRARY_PATH and /opt/vertica/lib must appear first in the list. When admintools starts or reboots Vertica, the path is set automatically.

Secure Client-Server Connection

Vertica uses TLS 1.2 to support the server-client connection for a FIPS-enabled system. This specification includes using a server certificate issued by a Certificate Authority.

Using TLS 1.2 prevents you from using the MD5 algorithm for hashing passwords. Vertica accepts only AuthenticatedClearTextPasswords hashed by SHA-512. Users with MD5 passwords must migrate to SHA-512 passwords. For more information, see Upgrade Considerations for Hash Authentication.

For instructions on generating a self-signed certificate see Generating TLS Certificates and Keys.

After generating a certificate, you need to distribute it to all hosts on the cluster. See Copying Certificates and Keys to Configuration Files. This distribution stores the certificate in the SSLCertificate parameter and the private key in the SSLPrivateKey parameter. For more information see Security Parameters.