CKAN Installation failure issue in FIPS enabled FCS EC2 Instance

[marikanti]

Hi,

Issue is nothing related to your Repo. I'm working for another Federal Agency would like to know if you guys faced the FIPS issue as below when trying to Install CKAN. If so how did you guys resolved it ? OR are you guys using Docker?

CKAN Version - 2.8.3 (Latest)

Installing CKAN on Federal Cloud AWS Instance on RHEL 7.7

During the installation process while initializing Database using this command "paster db init -c /etc/ckan/default/development.ini"

FIPS Issue

I'm getting the below error : (default) [root@ip-x-x-x-x ckan]# paster db init -c /etc/ckan/default/development.ini Traceback (most recent call last): File "/usr/lib/ckan/default/bin/paster", line 8, in sys.exit(run()) File "/usr/lib/ckan/default/lib/python2.7/site-packages/paste/script/command.py", line 101, in run command = commands[command_name].load() File "/usr/lib/ckan/default/lib/python2.7/site-packages/pkg_resources/init.py", line 2305, in load return self.resolve() File "/usr/lib/ckan/default/lib/python2.7/site-packages/pkg_resources/init.py", line 2311, in resolve module = import(self.module_name, fromlist=['name'], level=0) File "/root/ckan/lib/default/src/ckan/ckan/lib/cli.py", line 32, in from ckan.config.middleware import make_app File "/root/ckan/lib/default/src/ckan/ckan/config/middleware/init.py", line 13, in from ckan.config.middleware.flask_app import make_flask_stack File "/root/ckan/lib/default/src/ckan/ckan/config/middleware/flask_app.py", line 18, in from beaker.middleware import SessionMiddleware File "/usr/lib/ckan/default/lib/python2.7/site-packages/beaker/middleware.py", line 11, in from beaker.cache import CacheManager File "/usr/lib/ckan/default/lib/python2.7/site-packages/beaker/cache.py", line 23, in import beaker.ext.mongodb as mongodb File "/usr/lib/ckan/default/lib/python2.7/site-packages/beaker/ext/mongodb.py", line 102, in class MongoSynchronizer(SynchronizerImpl): File "/usr/lib/ckan/default/lib/python2.7/site-packages/beaker/ext/mongodb.py", line 106, in MongoSynchronizer MACHINE_ID = machine_identifier() File "/usr/lib/ckan/default/lib/python2.7/site-packages/beaker/util.py", line 489, in machine_identifier machine_hash = hashlib.md5() ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

Someone had this error ? How to resolve this issue ?

We cannot disable FIPS as its security issue.

Thanks in Advance for your answer

[mogul]

Apologies for the late response... Are you still stuck on this problem?

[marikanti]

Apologies for the late response... Are you still stuck on this problem?

Yes Mogul, How did you guys fixed it ?

[adborden]

Again, sorry for the late response. @marikanti we did not run into this specific issue. We are using a hardened Ubuntu image for our base OS which does not have a hard FIPS requirement in libraries like openssl. We've audited the CKAN code and dependencies to ensure that any use of md5 hash functions are not used in secure contexts and have documented this in our system security plan.

In your stack trace, it looks like md5 is only being used as an identifier within the mongodb extension. Is there a hard requirement to use RHEL with the hard FIPS mitigations enabled? Perhaps it's possible to disable that particular mongodb extension via configuration? I would reach out to the beaker team about this.