FIPS Compliance for PCE and VEN
Note
This release supports FIPS compliance for the PCE and Linux and Windows VENs. It does not support FIPS compliance for the AIX and Solaris VENs.
This section describes the operational requirements for compliance with Federal Information Processing Standard (FIPS) 140-2 for the PCE and VEN.
FIPS Prerequisites
PCE server hardware requires the Intel Ivy Bridge CPU (2012) or later.
RedHat v7.4 or later required.
Customer-provided SSL certificates from a public CA or a customer CA. The certificates must have a minimum key size of 2048 to secure PCE communications.
FIPS-related Government and Vendor Documentation
Federal Information Processing Standard (FIPS) 140-2, Security Requirements for Cryptographic Modules
Red Hat Enterprise Linux OpenSSL Cryptographic Module NIST Security Policy
RHEL v7.1 Red Hat Enterprise Linux Kernel Crypto API Cryptographic Module v4.0
RHEL v7.4 Red Hat Enterprise Linux Kernel Crypto API Cryptographic Module v5.0
RHEL v8.x Red Hat Enterprise Linux 8 OpenSSL Cryptographic Module v8.0
Non-Government Customers without FIPS Requirement
Compliance to FIPS 140-2 requires additional operational restrictions, such as specific OS versions and server hardware.
Illumio recommends that non-government customers who do not have requirement for FIPS 140-2 do not configure and deploy Illumio Core to support FIPS compliance.
Compliance Affirmation Letters
Third-party FIPS-compliance affirmation letters for the Illumio Core are available at FIPS 140-2 Affirmation Letters (PDF download).
Prerequisites for Linux VEN FIPS Compliance
For SecureConnect (IPsec encryption among workloads), to claim FIPS compliance, the VEN must be installed on RHEL v7.1, RHEL v7.4, or RHEL v8.0 and configured to operate in FIPS mode as described in the following vendor documents:
RedHat v7.1, Section 9.1 (“Cryptographic Officer Guidance”) of the RHEL v7.1 Red Hat Enterprise Linux Kernel Crypto API Cryptographic Module v4.0.
RedHat v7.4, Section 9.1 (“Cryptographic Officer Guidance”) of the RHEL v7.4 Red Hat Enterprise Linux Kernel Crypto API Cryptographic Module v5.0.
RHEL v8.0, Section 9.1 ("Crypto Officer Guidance") of the RHEL v8.0 Red Hat Enterprise Linux 8 OpenSSL Cryptographic Module v8.0
The Linux VEN versions do not have other special OS requirements or additional configurations to enable FIPS-compliant OpenSSL communications. The Linux VEN's FIPS OpenSSL module is built directly into the VEN and is not supplied by the underlying OS; the Linux VEN operates by default in FIPS mode.
Prerequisites for Windows VEN FIPS Compliance
For FIPS compliance on Windows, either Windows Server 2012 or Windows Server 2016 must be configured according to the following vendor documents:
Windows 2012 conforming with Section 2 of the Windows Server 2012 NIST Security Policy
Windows 2016 conforming Section 2 of the Windows Server 2016 NIST Security Policy
Enable PCE FIPS Compliance
After installing RHEL7.4, follow the required steps in Section 9.1, Crypto Officer Guidance, Red Hat Enterprise Linux OpenSSL Cryptographic Module NIST Security Policy.
Reboot the system.
After reboot, verify that the setting
/proc/sys/crypto/fips_enabledis equal to 1.Install the Illumio PCE RPM. See After PCE Installation for information.
During PCE installation, provide the PCE with SSL certificates that have a minimum RSA key size of 2048.
After completing the PCE setup, the PCE is FIPS compliant.
FIPS Compliance for Red Hat/Linux VENs
For all Illumio supported Linux workloads, the standard 18.1 GA VEN release and later support VEN Linux FIPS compliance.
Starting with the Linux VEN 18.1 release, all VEN OpenSSL communications by default operate in a FIPS compliant mode.
FIPS is supported on the VEN 18.1 release through the 20.2 release.
FIPS is not supported on the VEN 21.1 release through the 21.5 release due to the OpenSSL 1.1 upgrade.
FIPS is supported on the VEN 22.2 release and later.
FIPS for SecureConnect
To claim FIPS compliance for the VEN SecureConnect feature (IPsec encryption between workloads), the VEN must be installed on RHEL v7.1 or RHEL v7.4 and configured to operate in FIPS mode as documented in either of the following documents:
Section 9.1 (“Cryptographic Officer Guidance”) of the RHEL v7.1 Red Hat Enterprise Linux Kernel Crypto API Cryptographic Module v4.0
Section 9.1 (“Cryptographic Officer Guidance”) of the RHEL v7.4 Red Hat Enterprise Linux Kernel Crypto API Cryptographic Module v5.0
FIPS Compliance for Windows VENs
For Windows workloads, the standard 18.1 GA VEN release and later support VEN Windows FIPS compliance.
Windows VEN is FIPS compliant when installed on Windows Server 2012 or Windows Server 2016.
To operate the FIPS-compliant Windows VEN, the Windows system must be configured to operate in FIPS mode as documented in Section 2 of the Windows Server 2012 NIST Security Policy or Section 2 of the Windows Server 2016 NIST Security Policy.
OpenSSL 3.0 Module and RHEL 8 FIPS 140-2 Certification
OpenSSL 3.0 module and RHEL 8.0 OS are both currently undergoing certification for FIPS 140-2.
For more on the latest certification status for RHEL 7.x and RHEL 8.x, see the following NIST Cryptographic Module Validation Program (CMVP) document: Cryptographic Module Validation Program CMVP Modules In Process List