Implement FIPS on the Server

To implement FIPS on the Vertica server, you must:

RequireFIPS Parameter

Upon startup Vertica sets the RequireFIPS parameter on the server to reflect the FIPS state of the system, as follows:

Specify that FIPS is disabled:

RequireFIPS = 0

Specify that FIPS is enabled:

RequireFIPS = 1

The value of RequireFIPS matches the value of crypto.fips_enabled file. See Install FIPS-enabled VerticaVertica.

Verify the value of the RequireFIPS parameter as follows:

=> SELECT get_config_parameter('RequireFIPS'); get_config_parameter ----------------------- 0 (1 row)

Depending on the FIPS state, the following behaviors can occur:

Important: If you attempt to restore a FIPS-enabled node to a non-FIPS cluster, the restore process fails.

Locate OpenSSL Libraries

Vertica must find and load the correct OpenSSL libraries, libcrypto.so.1.0.1.e and libssl.so.1.0.1.e. To do so, it searches the system directory where the libraries reside. If the SSL libraries are not found, Vertica uses its own openssl libraries that reside under /opt/vertica/lib.

Note: If you do not use admintools to start Vertica, or have conflicting libraries in your system, you must manually set LD_LIBRARY_PATH with /opt/vertica/lib appearing first in the list. When admintools starts or reboots Vertica, the path is set automatically.

Secure Client-Server Connection

Vertica uses TLS 1.2 to support the server-client connection for a FIPS-enabled system. This specification includes using a server certificate issued by a Certificate Authority.

Note: Using TLS 1.2 prevents you from using the MD5 algorithm for hashing passwords. Vertica accepts only AuthenticatedClearTextPasswords hashed by SHA-512. Users with MD5 passwords must migrate to SHA-512 passwords. For more information, see Upgrade Considerations for Hash Authentication.

For instructions on generating a self-signed certificate see Generating SSL Certificates and Keys.

After generating a certificate, you need to distribute it to all hosts on the cluster. See Distributing Certificates and Keys. This distribution stores the certificate in the SSLCertificate parameter and the private key in the SSLPrivateKey parameter. For more information see Security Parameters.