Closed 01000101 closed 1 year ago
@01000101 Thanks for the issue. At the moment UDS is not supported running in FIPS mode. The recommendation for FIPS mode is to install SUDS (slim user data services) which is basically no UDS at all (but still provides a bascfg to allow the MAS suite to continue). This can be installed by setting the install_suds
on the uds_action https://ibm-mas.github.io/ansible-devops/roles/uds/#uds_action.
For the MAS Suite to run in FIPS mode you would have to install using the latest catalog (May 18th) that has MAS 8.10.1 available.
Versions
OpenShift 4.10.59 (FIPS enabled) IBM CPFS Operator 3.23.3 Crunchy Postgres Operator 5.3.0 IBM User Data Services Operator 2.0.10
Problem statement
I'm trying to deploy IBM UDS via CPFS Operand but it fails in FIPS mode. Initially, it fails in the
Pod/store-api-deployment
(init containerpem-to-keystore
) due to password encryption being used (PBE) which is not supported in FIPS mode. This can be worked around by tricking keytool into bypassing FIPS restrictions (unacceptable in the real world, but fine for testing). After working around that issue, another, more blocking, issue in the main container (store-api
) shows up regarding connection to PostgreSQL.Diagnostics / logs
Log snippet from
Pod/store-api-deployment (pem-to-keystore)
The workaround for the above is to add
-J-Dcom.redhat.fips=false
intoDeployment/store-api-deployment
where the init-container command iskeytool -importkeystore -noprompt ...
and letting it reconcile.Log snippet from
Pod/store-api-deployment (store-api)