From c92d5e5b487256e0bef7cc94b0c3b371e4eda267 Mon Sep 17 00:00:00 2001 From: Jake Landis Date: Fri, 2 Feb 2024 11:30:54 -0600 Subject: [PATCH] more --- .../security/fips-140-compliance.asciidoc | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/docs/reference/security/fips-140-compliance.asciidoc b/docs/reference/security/fips-140-compliance.asciidoc index 45694ca3cc7cc..9042b9b76e25a 100644 --- a/docs/reference/security/fips-140-compliance.asciidoc +++ b/docs/reference/security/fips-140-compliance.asciidoc @@ -32,15 +32,15 @@ The following is a high-level overview of the steps required to configure a FIPS * Use an externally installed Java installation. The JVM bundled with {es} is not configured for FIPS 140-2. * Install a FIPS certified security provider .jar file(s) in {es}'s `lib` directory. -* Configure Java to use the FIPS certified security provider (xref:java-security-provider[see below]). +* Configure Java to use a FIPS certified security provider (xref:java-security-provider[see below]). * Configure {es}'s security manager to allow use of the FIPS certified provider (xref:java-security-manager[see below]). * Ensure the keystore and truststore are configured correctly (xref:keystore-fips-password[see below]). * Ensure the TLS settings are configured correctly (xref:fips-tls[see below]). * Ensure the password hashing settings are configured correctly (xref:fips-stored-password-hashing[see below]). * Ensure the cached password hashing settings are configured correctly (xref:fips-cached-password-hashing[see below]). -* Set `xpack.security.fips_mode.enabled` to `true` in `elasticsearch.yml`. +* Configure `elasticsearch.yml` to use FIPS 140-2 mode, see (xref:configuring-es-yml[below]). * Verify the security provider is installed and configured correctly (xref:verify-security-provider[see below]). -* Understand the upgrade considerations (xref:fips-upgrade-considerations[see below]). and limitations (xref:fips-limitations[see below]). +* Review the upgrade considerations (xref:fips-upgrade-considerations[see below]) and limitations (xref:fips-limitations[see below]). [discrete] @@ -188,6 +188,19 @@ The user cache will be emptied upon node restart, so any existing hashes using non-compliant algorithms will be discarded and the new ones will be created using the algorithm you have selected. +[discrete] +[[configuring-es-yml]] +==== Verify the security provider is installed + +* Set `xpack.security.fips_mode.enabled` to `true` in `elasticsearch.yml`. This setting is used to ensure to configure some internal +configuration to be FIPS 140-2 compliant and provides some additional verification. + +* Set `xpack.security.autoconfiguration.enabled` to `false`. This will disable the automatic configuration of the security settings. +Users must ensure that the security settings are configured correctly for FIPS-140-2 compliance. This is only applicable for new installations. + +* Optional: Set `xpack.security.fips_mode.required_providers` in `elasticsearch.yml` to ensure the required security providers. +see xref:verify-security-provider[below]. + [discrete] [[verify-security-provider]] ==== Verify the security provider is installed