FIPS Compliance for PCE
This section describes the operational requirements for compliance with Federal Information Processing Standard (FIPS) 140-2 for the PCE and VEN.
FIPS Prerequisites
RHEL 8.2 running in FIPS mode and satisfying the Security Policy as stated in Red Hat Enterprise Linux 8 OpenSSL Cryptographic Module version rhel8.20200305.1.
Non-Government Customers without FIPS Requirement
Compliance with FIPS 140-2 requires additional operational restrictions such as specific OS versions and server hardware.
Illumio recommends that non-government customers who do not have a requirement for FIPS 140-2 do not configure and deploy Illumio Core in FIPS mode.
Enable PCE FIPS Compliance
After installing RHEL8.x, follow the required steps in Section 9.1, Crypto Officer Guidance, Red Hat Enterprise Linux 8 OpenSSL Cryptographic Module NIST Security Policy.
Reboot the system.
After the system starts, check that FIPS mode is enabled:
$ fips-mode-setup --check FIPS mode is enabled.Install the Illumio PCE RPM.
See After PCE Installation for information.
During PCE installation, provide the PCE with SSL certificates that have a minimum RSA key size of 2048.
After PCE installation, disable PCE metrics collection. Add the following to
runtime_env.ymlon all nodes in the cluster and restart the PCEs:metrics_collection_enabled: falseNote
This step is required because metrics collection currently uses non FIPS compliant components.
After completing the PCE setup, the PCE is FIPS compliant.