Verify Fleet message signing service works in FIPS mode
Details
While running the new Jest FIPS pipeline I noticed an error while running x-pack/plugins/fleet/server/services/security/message_signing_service.test.ts
Once the other errors were patched, the failing jest test above started passing 🤔
I was unable to reproduce the failing test in my local FIPS env, so it was always suspicious.
I would like to verify that this functionality works as expected in FIPS mode, but I am not familiar enough with Fleet to do so.
Setup a FIPS environment locally
Start an ES instance in a method of your choosing, but not using yarn es snapshot. I like to use a 9.0.0-snapshot from the .es/cache directory by running tar -xzvf elasticsearch-9.9.0-SNAPSHOT-darwin-aarch64.tar.gz and cd into the new directory's bin folder to run ./elasticsearch
Summary
Verify Fleet message signing service works in FIPS mode
Details
While running the new Jest FIPS pipeline I noticed an error while running
x-pack/plugins/fleet/server/services/security/message_signing_service.test.ts
https://github.com/elastic/kibana/blob/17fcaa5c8eb6cdff5f89a2fa28a20f42d020381f/x-pack/plugins/fleet/server/services/security/message_signing_service.test.ts#L192-L211
Specifically this code:
https://github.com/elastic/kibana/blob/17fcaa5c8eb6cdff5f89a2fa28a20f42d020381f/x-pack/plugins/fleet/server/services/security/message_signing_service.ts#L128-L132
Based on the code, everything looks FIPS compliant, and the Key Pair generation looks good as well.
I "patched" some other errors for this image (related https://github.com/elastic/kibana/issues/194944) so I could have this image build.
Once the other errors were patched, the failing jest test above started passing 🤔
I was unable to reproduce the failing test in my local FIPS env, so it was always suspicious.
I would like to verify that this functionality works as expected in FIPS mode, but I am not familiar enough with Fleet to do so.
Setup a FIPS environment locally
Start an ES instance in a method of your choosing, but not using yarn es snapshot. I like to use a 9.0.0-snapshot from the .es/cache directory by running
tar -xzvf elasticsearch-9.9.0-SNAPSHOT-darwin-aarch64.tar.gz
and cd into the new directory's bin folder to run ./elasticsearchIn a new terminal window, navigate to your the top level of your elasticsearch folder and run: curl -X POST --cacert config/certs/http_ca.crt -u elastic:YOUR_PASSWORD_HERE "https://localhost:9200/_license/start_trial?acknowledge=true&pretty"
This will enable the trial license for ES.
Ensure you have Docker running locally.
From any command line, run:
This will start Kibana into Interactive Setup mode, copy and paste the token from the ES startup logs.