Federal Information Processing Standard

When running on a certified FIPS-140-2 Red Hat 6.6 system, Vertica uses a certified OpenSSL FIPS 140-2 cryptographic module. This meets the security standards set by the National Institute of Standards and Technology (NIST) for Federal Agencies in the United States or other countries.

The standard specifies the security requirements that a cryptographic module needs in a system protecting sensitive information. For details on the standard see the Computer Security Resource Center.

Note: Vertica itself is not FIPS compliant but it is compatible with running on a FIPS-enabled system using FIPS resources.

For a list of FIPS prerequisites, see FIPS 140-2 Supported Platforms.

OpenSSL Behavior

Dynamic OpenSSL linking is a requirement for a FIPS implementation on the client and server. The Vertica server uses the OpenSSL that resides on the host system (version 1.0.1e as indicated in FIPS 140-2 Supported Platforms). OpenSSL dynamically links with LDAP and Kerberos.

For more information see Locate OpenSSL Libraries.

Libraries on CentOS 6.6 FIPS Systems

On a CentOS 6.6 FIPS system, Vertica runs only with the OpenSSL libraries libcrypto.so.1.0.1e and libssl.so.1.0.1e. Other versions of these libraries do not run on a FIPS system. This incompatibility occurs because the FIPS security policy checksums the library to which an application is linked and verifies that the library the application executes with the same checksum.

Library Versioning on Non-FIPS Systems

Be aware that on some non-FIPS systems, versioning anomalies can occur when you install a new version of OpenSSL. Sometimes, the default OpenSSL build procedure produces libraries with versions named 1.0.0. For Vertica to recognize that a library has a higher version number, you must provide the library name with a higher version number. For example, when installing OpenSSL version 1.0.1t, name the libraries libcrypto.so.1.0.1t or libssl.1.0.1t (symbolic links with these names are sufficient).

Install FIPS-enabled Vertica

The Vertica Analytic Database installation process determines if your system environment is FIPS compliant by checking the file /proc/sys/crypto/fips_enabled as follows:

$ sysctl crypto.fips_enabled
crypto.fips_enabled = 1

If the host is FIPS enabled, the installation does the following:

For more information see Installing Vertica.

FIPS-Enabled Databases

Manually creating a new database on a FIPS-enabled Vertica Analytic Database requires a different approach than for a non-FIPS machine.Be aware of the following limitations: