Federal Information Processing Standard
When running on a certified FIPS-140-2 Red Hat 6.6 system, Vertica uses a certified OpenSSL FIPS 140-2 cryptographic module. This meets the security standards set by the National Institute of Standards and Technology (NIST) for Federal Agencies in the United States or other countries.
The standard specifies the security requirements that a cryptographic module needs in a system protecting sensitive information. For details on the standard see the Computer Security Resource Center.
Note: Vertica itself is not FIPS compliant but it is compatible with running on a FIPS-enabled system using FIPS resources.
For a list of FIPS prerequisites, see FIPS 140-2 Supported Platforms.
OpenSSL Behavior
Dynamic OpenSSL linking is a requirement for a FIPS implementation on the client and server. The Vertica server uses the OpenSSL that resides on the host system (version 1.0.1e as indicated in FIPS 140-2 Supported Platforms). OpenSSL dynamically links with LDAP and Kerberos.
For more information see Locate OpenSSL Libraries.
Libraries on CentOS 6.6 FIPS Systems
On a CentOS 6.6 FIPS system, Vertica runs only with the OpenSSL libraries libcrypto.so.1.0.1e
and libssl.so.1.0.1e
. Other versions of these libraries do not run on a FIPS system. This incompatibility occurs because the FIPS security policy checksums the library to which an application is linked and verifies that the library the application executes with the same checksum.
Library Versioning on Non-FIPS Systems
Be aware that on some non-FIPS systems, versioning anomalies can occur when you install a new version of OpenSSL. Sometimes, the default OpenSSL build procedure produces libraries with versions named 1.0.0. For Vertica to recognize that a library has a higher version number, you must provide the library name with a higher version number. For example, when installing OpenSSL version 1.0.1t, name the libraries libcrypto.so.1.0.1t or libssl.1.0.1t (symbolic links with these names are sufficient).
Install FIPS-enabled Vertica
The Vertica Analytic Database installation process determines if your system environment is FIPS compliant by checking the file /proc/sys/crypto/fips_enabled
as follows:
$ sysctl crypto.fips_enabled crypto.fips_enabled = 1
- If fips_enabled contains a 1, the host is FIPS enabled.
- If fips_enabled contains a 0, the host is not FIPS enabled.
If the host is FIPS enabled, the installation does the following:
- Verifies that OpenSSL resides in the appropriate area. If application does not exist before installation, the installer uses the OpenSSL provided by Vertica as the default. (OpenSSL is stored in /opt/vertica/lib).
- Runs a test to verify that Vertica was successfully configured for FIPS. If this test fails on any node, the installer fails.
For more information see Installing Vertica.
FIPS-Enabled Databases
Manually creating a new database on a FIPS-enabled Vertica Analytic Database requires a different approach than for a non-FIPS machine.Be aware of the following limitations:
- You cannot create a FIPS-enabled database on a non-FIPS machine.
- You cannot create a non-FIPS database on a FIPS-enabled machine.
- Copying data generated with the MD5 hashing algorithm from a non-FIPS machine to a FIPS-enabled machine results in data corruption.