From 98f85feed46fdaaee1f8eddd00a99d13bc4bded1 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Fri, 17 Aug 2018 01:42:02 +0300 Subject: [PATCH 1/9] Add FIPS 140-2 documentation --- .../settings/security-settings.asciidoc | 3 + .../en/security/fips-140-compliance.asciidoc | 86 +++++++++++++++++++ 2 files changed, 89 insertions(+) create mode 100644 x-pack/docs/en/security/fips-140-compliance.asciidoc diff --git a/docs/reference/settings/security-settings.asciidoc b/docs/reference/settings/security-settings.asciidoc index 4f29b0549b3a8..b333e94ea5031 100644 --- a/docs/reference/settings/security-settings.asciidoc +++ b/docs/reference/settings/security-settings.asciidoc @@ -46,6 +46,9 @@ settings for the ad1 realm: `xpack.security.authc.realms.ad1.*`. The API already omits all `ssl` settings, `bind_dn`, and `bind_password` due to the sensitive nature of the information. +`xpack.security.fips_mode.enabled`:: +Enables fips mode of operation. Set this to `true` if you run this {es} instance in a FIPS-140 enabled JVM. For more +information, see {xpack-ref}/fips-140-compliance.html[FIPS-140 compliance]. Defaults to `false`. [float] [[password-security-settings]] ==== Default password security settings diff --git a/x-pack/docs/en/security/fips-140-compliance.asciidoc b/x-pack/docs/en/security/fips-140-compliance.asciidoc new file mode 100644 index 0000000000000..c1d4deb6bce3c --- /dev/null +++ b/x-pack/docs/en/security/fips-140-compliance.asciidoc @@ -0,0 +1,86 @@ +[role="xpack"] +[[fips-140-compliance]] +== FIPS 140-2 + +The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS PUB +140-2), titled "Security Requirements for Cryptographic Modules" is a U.S. +government computer security standard used to approve cryptographic modules. +{es} is FIPS-140 compliant and as such can run in a FIPS-140 enabled JVM. In +order to set {es} in fips mode, you must set the +`xpack.security.fips_mode.enabled` to `true` in `elasticsearch.yml` + +For {es}, FIPS 140-2 compliance is ensured by + +- Using FIPS approved / NIST recommended cryptographic algorithms. +- Delegating the implementation of these cryptographic algorithms to a NIST + validated cryptographic module (available via the Java Security Provider + in use in the JVM). +- Allowing the configuration of {es} in a FIPS 140-2 compliant manner, as + documented below. + +=== Configuring {es} for FIPS 140-2 + +Apart from setting `xpack.security.fips_mode.enabled`, a number of security +related settings need to be configured accordingly in order to be able to +run {es} successfully in a FIPS 140-2 enabled JVM. + + +==== TLS + +SSLv2 and SSLv3 are not allowed by FIPS 140-2, so `SSLv2Hello` and `SSLv3` cannot +be used for <> + +NOTE: The use of TLS ciphers is mainly governed by the relevant crypto module +(the FIPS Approved Security Provider that your JVM uses). All the ciphers that +are configured by default in {es} are FIPS-140 compliant and as such can be +used in a FIPS-140 JVM. (see <>) + + +==== TLS Keystores and keys + +Keystores can be used in a number of <> in order to +conveniently store key and trust material. Neither `JKS`, nor `PKCS#12` keystores +can be used in a FIPS 140-2 enabled JVM however, so you must refrain from using +keystores in your configuration, and use `PEM` encoded files instead. For key +material, you can use the relevant `*.key` and `*.certificate` configuration +options, and for trust material you can use `*.certificate_authorities`. + +FIPS 140-2 compliance dictates that the length of the public keys used for TLS +must correspond to the strength of the symmetric key algorithm in use in TLS. +Depending on the value of <> that +you select to use, the TLS keys must have corresponding length according to +the following table: + +[[comparable-key-strength]] +.Comparable key strengths +|======================= +| Symmetric Key Algorithm | RSA key Length | ECC key length +| `3DES` | 2048 | 224-255 +| `AES-128` | 3072 | 256-383 +| `AES-256` | 15630 | 512+ +|======================= + + +==== Password Hashing + +{es} offers a number of algorithms for securely hashing credentials in memory and +on disk. However, only the `PBKDF2` family of algorithms is compliant with FIPS +140-2 for password hashing. You must set the the `cache.hash_algo` realm settings +and the `xpack.security.authc.password_hashing.algorithm` setting to one of the +available `pbkdf2` values. See <>. + +=== Limitations + +Due to the limitations that FIPS 140-2 compliance enforces, a small number of +features is not available while running in fips mode. The list is as follows: + +* Azure Classic Discovery Plugin +* Ingest Attachment Plugin +* The {ref}/certutil.html[`elasticsearch-certutil`] tool. However, + `elasticsearch-certutil` can very well be used in a non FIPS 140-2 + enabled JVM (pointing `JAVA_HOME` environment variable to a different java + installation) in order to generate the keys and certificates that + can be later used in the FIPS 140-2 enabled JVM. +* The `elasticsearch-plugin` tool. Accordingly, `elasticseach-plugin` can be + used with a different (non FIPS 140-2 enabled) Java installation if + available. \ No newline at end of file From 7d26f8b6daf6b71ab735786ebf527a1d71e67480 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Fri, 17 Aug 2018 13:50:39 +0300 Subject: [PATCH 2/9] Added upgrade considerations --- .../en/security/fips-140-compliance.asciidoc | 54 ++++++++++++++++--- 1 file changed, 46 insertions(+), 8 deletions(-) diff --git a/x-pack/docs/en/security/fips-140-compliance.asciidoc b/x-pack/docs/en/security/fips-140-compliance.asciidoc index c1d4deb6bce3c..81d3b80570a12 100644 --- a/x-pack/docs/en/security/fips-140-compliance.asciidoc +++ b/x-pack/docs/en/security/fips-140-compliance.asciidoc @@ -18,12 +18,33 @@ For {es}, FIPS 140-2 compliance is ensured by - Allowing the configuration of {es} in a FIPS 140-2 compliant manner, as documented below. +IMPORTANT: Only {es} 6.4.0 and later can be run in a FIPS 140-2 enabled JVM + +=== Upgrade considerations + +If you plan to upgrade your existing Cluster to a version that can be run in +a FIPS 140-2 enabled JVM, the suggested approach is to first perform a rolling +upgrade to the new version in your existing JVM and perform all necessary +configuration changes in preparation for running in fips mode. You can then +perform a rolling restart of the nodes, this time starting each node in the FIPS +140-2 JVM. This will allow {es} to take care of a couple of things automatically for you: + +- <> will be upgraded to the latest format version as + previous format versions cannot be loaded in a FIPS 140-2 JVM. +- Self-generated trial licenses will be upgraded to the latest format that + is compliant with FIPS 140-2. + +If you are on a appropriate license level (platinum) you can elect to perform +a rolling upgrade while at the same time running each upgraded node in a +FIPS 140-2 JVM. In this case, you would need to also regenerate your +`elasticsearch.keystore` and migrate all secure settings to it, in addition to the +necessary configuration changes outlined below, before starting each node. + === Configuring {es} for FIPS 140-2 Apart from setting `xpack.security.fips_mode.enabled`, a number of security -related settings need to be configured accordingly in order to be able to -run {es} successfully in a FIPS 140-2 enabled JVM. - +related settings need to be configured accordingly in order to be compliant +and able to run {es} successfully in a FIPS 140-2 enabled JVM. ==== TLS @@ -35,16 +56,19 @@ NOTE: The use of TLS ciphers is mainly governed by the relevant crypto module are configured by default in {es} are FIPS-140 compliant and as such can be used in a FIPS-140 JVM. (see <>) - ==== TLS Keystores and keys Keystores can be used in a number of <> in order to conveniently store key and trust material. Neither `JKS`, nor `PKCS#12` keystores can be used in a FIPS 140-2 enabled JVM however, so you must refrain from using keystores in your configuration, and use `PEM` encoded files instead. For key -material, you can use the relevant `*.key` and `*.certificate` configuration +material, you can use the relevant `\*.key` and `*.certificate` configuration options, and for trust material you can use `*.certificate_authorities`. +NOTE: If your Cryptographic Module offers a keystore type that is FIPS 140-2 +compliant, you can use that instead, ensuring you set the correct value for +the type identifier in `\*.truststore.type` and `*.keystore.type` settings. + FIPS 140-2 compliance dictates that the length of the public keys used for TLS must correspond to the strength of the symmetric key algorithm in use in TLS. Depending on the value of <> that @@ -67,7 +91,19 @@ the following table: on disk. However, only the `PBKDF2` family of algorithms is compliant with FIPS 140-2 for password hashing. You must set the the `cache.hash_algo` realm settings and the `xpack.security.authc.password_hashing.algorithm` setting to one of the -available `pbkdf2` values. See <>. +available `PBKDF2` values. See <>. + +Password hashing configuration changes are not retroactive so the stored hashed +credentials of existing users of the file and native realms will not be updated +on disk. +Authentication will still work, but in order to ensure FIPS 140-2 compliance, +you would need to recreate users or change their password using the +<> CLI tool for the file realm and the +<> for the native realm. + +The user cache will be emptied upon node restart, so any existing hashes using +non-compliant algorithms will be discarded and the new ones will be created +using the compliant `PBKDF2` algorithm you have selected. === Limitations @@ -81,6 +117,8 @@ features is not available while running in fips mode. The list is as follows: enabled JVM (pointing `JAVA_HOME` environment variable to a different java installation) in order to generate the keys and certificates that can be later used in the FIPS 140-2 enabled JVM. -* The `elasticsearch-plugin` tool. Accordingly, `elasticseach-plugin` can be +* The `elasticsearch-plugin` tool. Accordingly, `elasticsearch-plugin` can be used with a different (non FIPS 140-2 enabled) Java installation if - available. \ No newline at end of file + available. +* The SQL CLI client cannot run in a FIPS 140-2 enabled JVM while using + TLS for transport security or PKI for client authentication. \ No newline at end of file From cb863413c011fb3ced3be29f504f991a5c06be30 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Mon, 20 Aug 2018 16:42:15 +0300 Subject: [PATCH 3/9] Add SAML decryption limitation for fips mode SAML Realm cannot handle encrypted SAML messages as the algorithms used for key transport are not FIPS 140-2 compliant. --- x-pack/docs/en/security/fips-140-compliance.asciidoc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/x-pack/docs/en/security/fips-140-compliance.asciidoc b/x-pack/docs/en/security/fips-140-compliance.asciidoc index 81d3b80570a12..d8819b9833503 100644 --- a/x-pack/docs/en/security/fips-140-compliance.asciidoc +++ b/x-pack/docs/en/security/fips-140-compliance.asciidoc @@ -121,4 +121,6 @@ features is not available while running in fips mode. The list is as follows: used with a different (non FIPS 140-2 enabled) Java installation if available. * The SQL CLI client cannot run in a FIPS 140-2 enabled JVM while using - TLS for transport security or PKI for client authentication. \ No newline at end of file + TLS for transport security or PKI for client authentication. +* SAML Realm cannot decrypt and consume encrypted Assertions or encrypted + attributes in Attribute Statements from the SAML IdP. \ No newline at end of file From dcee61b2c71f1c2409c14eb96979ffef9f150b1d Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Mon, 20 Aug 2018 20:27:03 +0300 Subject: [PATCH 4/9] Address feedback --- .../settings/security-settings.asciidoc | 5 +++-- .../en/security/fips-140-compliance.asciidoc | 20 +++++++++---------- 2 files changed, 12 insertions(+), 13 deletions(-) diff --git a/docs/reference/settings/security-settings.asciidoc b/docs/reference/settings/security-settings.asciidoc index cdff50d246862..334a377eac1f8 100644 --- a/docs/reference/settings/security-settings.asciidoc +++ b/docs/reference/settings/security-settings.asciidoc @@ -47,8 +47,9 @@ omits all `ssl` settings, `bind_dn`, and `bind_password` due to the sensitive nature of the information. `xpack.security.fips_mode.enabled`:: -Enables fips mode of operation. Set this to `true` if you run this {es} instance in a FIPS-140 enabled JVM. For more -information, see {xpack-ref}/fips-140-compliance.html[FIPS-140 compliance]. Defaults to `false`. +Enables fips mode of operation. Set this to `true` if you run this {es} instance in a FIPS 140-2 enabled JVM. For more +information, see {xpack-ref}/fips-140-compliance.html[FIPS 140-2 compliance]. Defaults to `false`. + [float] [[password-security-settings]] ==== Default password security settings diff --git a/x-pack/docs/en/security/fips-140-compliance.asciidoc b/x-pack/docs/en/security/fips-140-compliance.asciidoc index d8819b9833503..45a2f2ba00cf8 100644 --- a/x-pack/docs/en/security/fips-140-compliance.asciidoc +++ b/x-pack/docs/en/security/fips-140-compliance.asciidoc @@ -4,9 +4,9 @@ The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS PUB 140-2), titled "Security Requirements for Cryptographic Modules" is a U.S. -government computer security standard used to approve cryptographic modules. -{es} is FIPS-140 compliant and as such can run in a FIPS-140 enabled JVM. In -order to set {es} in fips mode, you must set the +government computer security standard used to approve cryptographic modules. +{es} offers a FIPS 140-2 compliant mode and as such can run in a FIPS 140-2 +enabled JVM. In order to set {es} in fips mode, you must set the `xpack.security.fips_mode.enabled` to `true` in `elasticsearch.yml` For {es}, FIPS 140-2 compliance is ensured by @@ -53,21 +53,19 @@ be used for <> NOTE: The use of TLS ciphers is mainly governed by the relevant crypto module (the FIPS Approved Security Provider that your JVM uses). All the ciphers that -are configured by default in {es} are FIPS-140 compliant and as such can be -used in a FIPS-140 JVM. (see <>) +are configured by default in {es} are FIPS 140-2 compliant and as such can be +used in a FIPS 140-2 JVM. (see <>) ==== TLS Keystores and keys Keystores can be used in a number of <> in order to conveniently store key and trust material. Neither `JKS`, nor `PKCS#12` keystores can be used in a FIPS 140-2 enabled JVM however, so you must refrain from using -keystores in your configuration, and use `PEM` encoded files instead. For key -material, you can use the relevant `\*.key` and `*.certificate` configuration +these keystores. Your FIPS 140-2 provider may provide a compliant keystore that +can be used or you can use PEM encoded files. To use PEM encoded key material, +you can use the relevant `\*.key` and `*.certificate` configuration options, and for trust material you can use `*.certificate_authorities`. -NOTE: If your Cryptographic Module offers a keystore type that is FIPS 140-2 -compliant, you can use that instead, ensuring you set the correct value for -the type identifier in `\*.truststore.type` and `*.keystore.type` settings. FIPS 140-2 compliance dictates that the length of the public keys used for TLS must correspond to the strength of the symmetric key algorithm in use in TLS. @@ -122,5 +120,5 @@ features is not available while running in fips mode. The list is as follows: available. * The SQL CLI client cannot run in a FIPS 140-2 enabled JVM while using TLS for transport security or PKI for client authentication. -* SAML Realm cannot decrypt and consume encrypted Assertions or encrypted +* The SAML Realm cannot decrypt and consume encrypted Assertions or encrypted attributes in Attribute Statements from the SAML IdP. \ No newline at end of file From 98cdacb5d7c11e4c5dd7a14d6096f5fe0b3a54f7 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Mon, 20 Aug 2018 21:06:54 +0300 Subject: [PATCH 5/9] Fix grammar --- x-pack/docs/en/security/fips-140-compliance.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/docs/en/security/fips-140-compliance.asciidoc b/x-pack/docs/en/security/fips-140-compliance.asciidoc index 45a2f2ba00cf8..65244fef80f4e 100644 --- a/x-pack/docs/en/security/fips-140-compliance.asciidoc +++ b/x-pack/docs/en/security/fips-140-compliance.asciidoc @@ -106,7 +106,7 @@ using the compliant `PBKDF2` algorithm you have selected. === Limitations Due to the limitations that FIPS 140-2 compliance enforces, a small number of -features is not available while running in fips mode. The list is as follows: +features are not available while running in fips mode. The list is as follows: * Azure Classic Discovery Plugin * Ingest Attachment Plugin From e663737f6b0ecd616e7d62b8fe1893096e6309ae Mon Sep 17 00:00:00 2001 From: lcawl Date: Mon, 20 Aug 2018 16:54:05 -0700 Subject: [PATCH 6/9] [DOCS] Adds FIPS documentation to security configuration section --- docs/reference/settings/security-settings.asciidoc | 13 ++++++++++++- x-pack/docs/en/security/configuring-es.asciidoc | 4 ++++ .../docs/en/security/fips-140-compliance.asciidoc | 3 ++- 3 files changed, 18 insertions(+), 2 deletions(-) diff --git a/docs/reference/settings/security-settings.asciidoc b/docs/reference/settings/security-settings.asciidoc index 334a377eac1f8..8c02ebdd21bb9 100644 --- a/docs/reference/settings/security-settings.asciidoc +++ b/docs/reference/settings/security-settings.asciidoc @@ -1125,7 +1125,12 @@ settings such as those for HTTP or Transport. `xpack.ssl.supported_protocols`:: Supported protocols with versions. Valid protocols: `SSLv2Hello`, `SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`. Defaults to `TLSv1.2`, `TLSv1.1`, -`TLSv1`. +`TLSv1`. ++ +-- +NOTE: If `xpack.security.fips_mode.enabled` is `true`, you cannot use `SSLv2Hello` +or `SSLv3`. See <>. +-- `xpack.ssl.client_authentication`:: Controls the server's behavior in regard to requesting a certificate @@ -1224,6 +1229,9 @@ Password to the truststore. `xpack.ssl.truststore.secure_password` (<>):: Password to the truststore. +WARNING: If `xpack.security.fips_mode.enabled` is `true`, you cannot use Java +keystore files. See <>. + [float] ===== PKCS#12 files @@ -1262,6 +1270,9 @@ Password to the truststore. `xpack.ssl.truststore.secure_password` (<>):: Password to the truststore. +WARNING: If `xpack.security.fips_mode.enabled` is `true`, you cannot use PKCS#12 +keystore files. See <>. + [[pkcs12-truststore-note]] [NOTE] Storing trusted certificates in a PKCS#12 file, although supported, is diff --git a/x-pack/docs/en/security/configuring-es.asciidoc b/x-pack/docs/en/security/configuring-es.asciidoc index a13547263a582..47d580491c139 100644 --- a/x-pack/docs/en/security/configuring-es.asciidoc +++ b/x-pack/docs/en/security/configuring-es.asciidoc @@ -27,6 +27,9 @@ https://www.elastic.co/subscriptions and your cluster. If you are using a trial license, the default value is `false`. For more information, see {ref}/security-settings.html[Security Settings in {es}]. +. If you plan to run {es} in a Federal Information Processing Standard (FIPS) +140-2 enabled JVM, see <>. + . Configure Transport Layer Security (TLS/SSL) for internode-communication. + -- @@ -145,5 +148,6 @@ include::authentication/configuring-pki-realm.asciidoc[] include::authentication/configuring-saml-realm.asciidoc[] :edit_url: https://github.com/elastic/elasticsearch/edit/{branch}/x-pack/docs/en/security/authentication/configuring-kerberos-realm.asciidoc include::authentication/configuring-kerberos-realm.asciidoc[] +include::fips-140-compliance.asciidoc[] include::{es-repo-dir}/settings/security-settings.asciidoc[] include::{es-repo-dir}/settings/audit-settings.asciidoc[] diff --git a/x-pack/docs/en/security/fips-140-compliance.asciidoc b/x-pack/docs/en/security/fips-140-compliance.asciidoc index 65244fef80f4e..131a8768be647 100644 --- a/x-pack/docs/en/security/fips-140-compliance.asciidoc +++ b/x-pack/docs/en/security/fips-140-compliance.asciidoc @@ -89,7 +89,8 @@ the following table: on disk. However, only the `PBKDF2` family of algorithms is compliant with FIPS 140-2 for password hashing. You must set the the `cache.hash_algo` realm settings and the `xpack.security.authc.password_hashing.algorithm` setting to one of the -available `PBKDF2` values. See <>. +available `PBKDF2` values. +//See <>. Password hashing configuration changes are not retroactive so the stored hashed credentials of existing users of the file and native realms will not be updated From 147380d463a9027b9b9d47053f7220177820740b Mon Sep 17 00:00:00 2001 From: lcawl Date: Mon, 20 Aug 2018 17:08:47 -0700 Subject: [PATCH 7/9] [DOCS] Fixes link to FIPS content --- docs/reference/settings/security-settings.asciidoc | 3 +-- x-pack/docs/en/security/fips-140-compliance.asciidoc | 11 ++++++++--- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/docs/reference/settings/security-settings.asciidoc b/docs/reference/settings/security-settings.asciidoc index 8c02ebdd21bb9..ebd1ae97db1e0 100644 --- a/docs/reference/settings/security-settings.asciidoc +++ b/docs/reference/settings/security-settings.asciidoc @@ -47,8 +47,7 @@ omits all `ssl` settings, `bind_dn`, and `bind_password` due to the sensitive nature of the information. `xpack.security.fips_mode.enabled`:: -Enables fips mode of operation. Set this to `true` if you run this {es} instance in a FIPS 140-2 enabled JVM. For more -information, see {xpack-ref}/fips-140-compliance.html[FIPS 140-2 compliance]. Defaults to `false`. +Enables fips mode of operation. Set this to `true` if you run this {es} instance in a FIPS 140-2 enabled JVM. For more information, see <>. Defaults to `false`. [float] [[password-security-settings]] diff --git a/x-pack/docs/en/security/fips-140-compliance.asciidoc b/x-pack/docs/en/security/fips-140-compliance.asciidoc index 131a8768be647..ac15dc8c7ce78 100644 --- a/x-pack/docs/en/security/fips-140-compliance.asciidoc +++ b/x-pack/docs/en/security/fips-140-compliance.asciidoc @@ -1,6 +1,6 @@ [role="xpack"] [[fips-140-compliance]] -== FIPS 140-2 +=== FIPS 140-2 The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS PUB 140-2), titled "Security Requirements for Cryptographic Modules" is a U.S. @@ -20,7 +20,8 @@ For {es}, FIPS 140-2 compliance is ensured by IMPORTANT: Only {es} 6.4.0 and later can be run in a FIPS 140-2 enabled JVM -=== Upgrade considerations +[float] +==== Upgrade considerations If you plan to upgrade your existing Cluster to a version that can be run in a FIPS 140-2 enabled JVM, the suggested approach is to first perform a rolling @@ -40,12 +41,14 @@ FIPS 140-2 JVM. In this case, you would need to also regenerate your `elasticsearch.keystore` and migrate all secure settings to it, in addition to the necessary configuration changes outlined below, before starting each node. +[float] === Configuring {es} for FIPS 140-2 Apart from setting `xpack.security.fips_mode.enabled`, a number of security related settings need to be configured accordingly in order to be compliant and able to run {es} successfully in a FIPS 140-2 enabled JVM. +[float] ==== TLS SSLv2 and SSLv3 are not allowed by FIPS 140-2, so `SSLv2Hello` and `SSLv3` cannot @@ -56,6 +59,7 @@ NOTE: The use of TLS ciphers is mainly governed by the relevant crypto module are configured by default in {es} are FIPS 140-2 compliant and as such can be used in a FIPS 140-2 JVM. (see <>) +[float] ==== TLS Keystores and keys Keystores can be used in a number of <> in order to @@ -82,7 +86,7 @@ the following table: | `AES-256` | 15630 | 512+ |======================= - +[float] ==== Password Hashing {es} offers a number of algorithms for securely hashing credentials in memory and @@ -104,6 +108,7 @@ The user cache will be emptied upon node restart, so any existing hashes using non-compliant algorithms will be discarded and the new ones will be created using the compliant `PBKDF2` algorithm you have selected. +[float] === Limitations Due to the limitations that FIPS 140-2 compliance enforces, a small number of From 8c9045198f836ea8bc509f387c070b285e7d663d Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Tue, 21 Aug 2018 08:59:15 +0300 Subject: [PATCH 8/9] Address feedback --- x-pack/docs/en/security/fips-140-compliance.asciidoc | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/x-pack/docs/en/security/fips-140-compliance.asciidoc b/x-pack/docs/en/security/fips-140-compliance.asciidoc index ac15dc8c7ce78..cda613ac0aeb9 100644 --- a/x-pack/docs/en/security/fips-140-compliance.asciidoc +++ b/x-pack/docs/en/security/fips-140-compliance.asciidoc @@ -18,10 +18,8 @@ For {es}, FIPS 140-2 compliance is ensured by - Allowing the configuration of {es} in a FIPS 140-2 compliant manner, as documented below. -IMPORTANT: Only {es} 6.4.0 and later can be run in a FIPS 140-2 enabled JVM - [float] -==== Upgrade considerations +=== Upgrade considerations If you plan to upgrade your existing Cluster to a version that can be run in a FIPS 140-2 enabled JVM, the suggested approach is to first perform a rolling @@ -93,7 +91,7 @@ the following table: on disk. However, only the `PBKDF2` family of algorithms is compliant with FIPS 140-2 for password hashing. You must set the the `cache.hash_algo` realm settings and the `xpack.security.authc.password_hashing.algorithm` setting to one of the -available `PBKDF2` values. +available `PBKDF2` values. //See <>. Password hashing configuration changes are not retroactive so the stored hashed From ee999d0e21ef4c1c77cc2c8236488959891a33f9 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Tue, 21 Aug 2018 12:16:32 +0300 Subject: [PATCH 9/9] Reintroduce link --- x-pack/docs/en/security/fips-140-compliance.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/docs/en/security/fips-140-compliance.asciidoc b/x-pack/docs/en/security/fips-140-compliance.asciidoc index cda613ac0aeb9..ceb605c2e2db1 100644 --- a/x-pack/docs/en/security/fips-140-compliance.asciidoc +++ b/x-pack/docs/en/security/fips-140-compliance.asciidoc @@ -92,7 +92,7 @@ on disk. However, only the `PBKDF2` family of algorithms is compliant with FIPS 140-2 for password hashing. You must set the the `cache.hash_algo` realm settings and the `xpack.security.authc.password_hashing.algorithm` setting to one of the available `PBKDF2` values. -//See <>. +See <>. Password hashing configuration changes are not retroactive so the stored hashed credentials of existing users of the file and native realms will not be updated