OpenSearch icon indicating copy to clipboard operation
OpenSearch copied to clipboard
verified publisher icon opensearch-project

[Feature Request] Documentation for FIPS configuration

Open whgibbo opened this issue 7 months ago • 5 comments

Is your feature request related to a problem? Please describe

Looking for clarification if OpenSearch 3.x can be configured for FIPS only algorithms. From what I can see:

  • the BouncyCastle FIPS jars are included in the docker image
  • usr/share/opensearch/config/java.security is configured to Bouncy castle

But can't find any documentation references to on how to enable this.

I'm assuming that just setting the JVM OPTS could be enough..

Describe the solution you'd like

It would be good for any or all of the following:

  • introduce documentation to indicate if FIPS is support and what level.
  • introduce a parameter for the docker file to enable FIPS, which would the utilize the correct java.security file.

Related component

Other

Describe alternatives you've considered

Trying what I suggested above.

Additional context

No response

whgibbo avatar May 16 '25 21:05 whgibbo

@beanuwave @cwperks Can you provide any help here?

andrross avatar May 28 '25 22:05 andrross

Any help on this ?

whgibbo avatar Jun 05 '25 13:06 whgibbo

Catch All Triage - 1 2

@cwperks another ping here if you have a second to take a look.

andrross avatar Jun 09 '25 16:06 andrross

@kaimst are you aware of this?

KarstenSchnitter avatar Jun 13 '25 05:06 KarstenSchnitter

@KarstenSchnitter, yes we are aware. Full documentation will be provided as soon as the remaining FIPS components are in place.

kaimst avatar Jun 13 '25 07:06 kaimst

@kaimst Is there any ideas on when remaining FIPS components will be in place ?

whgibbo avatar Jul 07 '25 10:07 whgibbo

@whgibbo, we are in the final stages of this contribution, but it is currently hard to give an exact timeline. Also, I am unsure about the status of the security plugin. Perhaps @terryquigleysas can say something?

kaimst avatar Jul 07 '25 11:07 kaimst

@kaimst We have recently resolved the primary, remaining blocker in the security plugin, allowing OpenSAML to work with the Bouncy Castle FIPS libraries. Everything should be clear for the Core work to complete.

https://github.com/opensearch-project/security/pull/5404 https://github.com/opensearch-project/security/pull/5439

terryquigleysas avatar Jul 07 '25 11:07 terryquigleysas

Just adding a few more notes from work done on the security plugin and elsewhere that has relevance here;

  • The default password hashing algorithm is not FIPS-compliant. This can be changed by setting plugins.security.password.hashing.algorithm to PBKDF2 . This is documented at https://docs.opensearch.org/docs/latest/install-and-configure/configuring-opensearch/security-settings/#expert-level-settings - note the disclaimer about rehashing passwords if changing on an existing cluster.
  • The default field masking algorithm is not FIPS-compliant. This can be changed by setting plugins.security.masked_fields.algorithm.default to something that is, e.g. SHA-256 . This is documented at https://docs.opensearch.org/docs/latest/security/access-control/field-masking/#advanced-use-an-alternative-hash-algorithm
  • Recent changes have updated the bundled JDK to JDK-24 https://github.com/opensearch-project/OpenSearch/pull/18085 while the Bouncy Castle FIPS libraries, at time of writing, are "certified for use on Java 8, Java 11, Java 17 and Java 21" - see https://www.bouncycastle.org/download/bouncy-castle-java-fips/ . Any JDK instructions should make this clear.

There is always the potential to add more validation to Core and the Security plugin to flag up where FIPS flags do not align and settings may need to change.

terryquigleysas avatar Jul 14 '25 09:07 terryquigleysas

Any updates on this.. As the links above are not working

whgibbo avatar Nov 26 '25 11:11 whgibbo