While Confluent Platform is not FIPS-certified, it provides additional FIPS-compliant
cipher enforcement at the Kafka broker level. Confluent Platform distributes
a Bouncy Castle FIPS JSSE Security Provider that leverages the Bouncy Castle
JSSE Provider FIPS extensions, which enables a second level of cipher enforcement at
the broker level (beyond settings defined in ssl.cipher.suites
), and reject
non-compliant incoming and outgoing broker connections. Refer to
Appendix B – Supported Cipher Suites
for a complete list of supported cipher suites.
When running Confluent Platform in FIPS-enabled mode, the cryptographic use of the following
technologies will run only using FIPS-compliant ciphers:
Any cipher suites for TLS connections from ksqlDB, Connect, Confluent Control Center, or Schema Registry to a broker
are enforced by the broker.
Prerequisites
OS: RHEL 7.x and later.
Enable FIPS mode on RHEL 7.x or later.
Use FIPS-certified provider Bouncy Castle (BC) version 1.0.2, which provides crypto cipher suites for TLS communication and encryption/decryption
service (provided as part of the distribution).
Run FIPs-compliant cryptographic libraries and SSL encryption over the wire for
all communications, which means you must configure Confluent Platform with SSL communications
for all publish/subscribe client-to-broker and component-to-broker communications.
The default keystore format is JKS, which is not a standardized format and is
deprecated and not supported by FIPS providers. The BC FIPS provider supports
two types of keystore formats: PKCS12 and BCFKS. However, only the BCFKS key
store is designed to be FIPS-compliant. You must either create a BCFKS
format keystore, or convert JKS or PKCS12 to BCFKS,
which is a standardized and language-neutral way of storing encrypted private
keys and certificates.
The following configuration example is not specific to FIPS or a new configuration;
rather, it shows the specific use case to configure TLS/SSL so that it includes
the BCFKS keystore for TLS/SSL communication. You must also include listeners
prefixed with listener.name.
for each listener in the TLS/SSL configuration.
The listener configuration in the example below is based on the following definition:
listener.security.protocol.map = INTERNAL:SASL_SSL,BROKER:SSL,EXTERNAL:SSL \
listeners = INTERNAL://:9092,BROKER://:9091,EXTERNAL://:9093
# TLS/SSL configuration
ssl.keymanager.algorithm=PKIX
ssl.trustmanager.algorithm=PKIX
ssl.keystore.type=BCFKS
ssl.truststore.type=BCFKS
ssl.truststore.location=<path-to-ssl-truststore>
ssl.truststore.password=<ssl-truststore-password>
ssl.keystore.location=<path-to-ssl-keystore>
ssl.keystore.password=<ssl-keystore-password>
ssl.key.password= <ssl-key-password>
# External listener configuration
listener.name.external.ssl.keymanager.algorithm=PKIX
listener.name.external.ssl.trustmanager.algorithm=PKIX
listener.name.external.ssl.keystore.type=BCFKS
listener.name.external.ssl.truststore.type=BCFKS
listener.name.external.ssl.truststore.location=<path-to-ssl-truststore>
listener.name.external.ssl.truststore.password=<ssl-truststore-password>
listener.name.external.ssl.keystore.location=<path-to-ssl-keystore>
listener.name.external.ssl.keystore.password=<ssl-keystore-password>
listener.name.external.ssl.key.password= <ssl-key-password>
MDS provides additional FIPS-compliant cipher enforcement
over HTTPS communication to and from MDS. The following example
shows an MDS configuration for FIPS-compliance:
confluent.metadata.server.ssl.keystore.type=BCFKS
confluent.metadata.server.ssl.keymanager.algorithm=PKIX
confluent.metadata.server.ssl.keystore.location=kafka.server.keystore.bcfks
confluent.metadata.server.ssl.keystore.password=
confluent.metadata.server.ssl.key.password=
Converting from PKCS12 to BCFKS
If you are using the PKCS12 store, convert to use the BCFKS store by entering the following command:
keytool -importkeystore -v -srckeystore kafka.server.keystore.pk12 -srcstoretype PKCS12 -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /Users/fips-user/tmp/ssl/bcfks/bc-fips-1.0.2.jar -destkeystore kafka.server.keystore.bcfks -deststoretype BCFKS
Configuring keys and certificates using BCFKS
Creating SSL Keys and Certificates provides the steps to configure a keystore and
generate a certificate. When using BCFKS, the steps are the same, but the
configuration is different because you must add the storetype
, providerpath
,
and providerclass
. Your configuration should resemble the following example:
keytool -keystore kafka.server.keystore.bcfks -alias localhost -validity 720 -genkeypair -keyalg RSA -keysize 2048 -storepass testfips -keypass testfips -storetype BCFKS -providerpath /Users/fips-user/tmp/ssl/bcfks/bc-fips-1.0.2.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -dname CN=localhost -ext SAN=DNS:localhost
openssl req -new -x509 -keyout ca-key -out ca-cert -days 720
keytool -keystore kafka.client.truststore.bcfks -storetype BCFKS -alias CARoot -import -file ca-cert -providerpath /Users/fips-user/tmp/ssl/bcfks/bc-fips-1.0.2.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
keytool -keystore kafka.server.truststore.bcfks -storetype BCFKS -alias CARoot -importcert -file ca-cert -providerpath /Users/fips-user/tmp/ssl/bcfks/bc-fips-1.0.2.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
keytool -keystore kafka.server.keystore.bcfks -alias localhost -storepass testfips -keypass testfips -storetype BCFKS -certreq -file cert-file -providerpath /Users/fips-user/tmp/ssl/bcfks/bc-fips-1.0.2.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 720 -CAcreateserial -passin pass:testfips
keytool -keystore kafka.server.keystore.bcfks -storetype BCFKS -alias CARoot -import -file ca-cert -storepass testfips -providerpath /Users/fips-user/tmp/ssl/bcfks/bc-fips-1.0.2.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
cat ca-cert cert-signed > cert
keytool -keystore kafka.server.keystore.bcfks -storetype BCFKS -storepass testfips -alias localhost -import -file cert -providerpath /Users/fips-user/tmp/ssl/bcfks/bc-fips-1.0.2.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
Configuring Confluent Platform for FIPS 140-2
To configure Confluent Platform brokers, consumers, and producers for FIPS 140-2, specify the
following options in server.properties
:
enable.fips=true
security.providers=io.confluent.kafka.security.fips.provider.BcFipsProviderCreator,io.confluent.kafka.security.fips.provider.BcFipsJsseProviderCreator
# Specify the TLS version. Only TLS version 1.2 is supported.
ssl.enabled.protocol=TLSv1.2
Note
Confluent Platform uses ssl.enabled.protocol=TLSv1.3
by default. Do not accept the
default value because it is not supported for FIPS 140-2.
The security.providers
option configures Kafka brokers to use a list of JCE
provider creators. The Kafka broker creates a list of security JCE providers (which
at runtime take precedence over any other providers). Bouncy Castle is the only
supported FIPS provider. If you do not specify Bouncy Castle, then you are
responsible for providing a FIPS-compliant cipher suite and/or libraries.
If you choose not to configure cipher suites, then those values will
be determined by the Bouncy Castle provider.
Important
You must enable TLS over-the-wire encryption when FIPS mode is enabled. Also,
Confluent Platform will not start if the TLS version and cipher suites specified are not FIPS-compliant.
Verifing that RHEL is running in FIPS mode
Run the following command to verify that RHEL is running in FIPS operational
readiness mode:
cat /proc/sys/crypto/fips_enabled
sysctl crypto.fips_enabled
Your output should resemble:
cat /proc/sys/crypto/fips_enabled
1
sysctl crypto.fips_enabled
crypto.fips_enabled = 1
You can also confirm that the Kafka broker is running in FIPS mode by viewing
the broker server.log
:
FIPS mode is enabled: true
If you enabled FIPS operational readiness mode, but failed to specify a valid
TLS version (only version 1.2 is supported), the output is similar to the following:
[2019-10-05 17:26:18,261] ERROR FIPS 140-2 Configuration Error, invalid TLS versions: TLSv1.0 (bigcompany.kafka.security.fips.FipsValidator)
[2019-10-05 17:26:18,261] ERROR Fatal error during SupportedServerStartable startup. Prepare to shutdown (bigcompany.support.metrics.SupportedKafka)
bigcompany.kafka.security.fips.exceptions.InvalidFipsTlsVersionException: FIPS 140-2 Configuration Error, invalid TLS versions: TLSv1.0
If you enabled FIPS operational readiness mode, but specified a unsupported cipher
suite, the output is similar to the following:
[2019-10-22 13:27:01,852] ERROR FIPS 140-2 Configuration Error, invalid cipher suites: TLS_DHE_DSS_WITH_AES_96_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_96_CBC_SHA (bigcompany.kafka.security.fips.FipsValidator)
[2019-10-22 13:27:01,852] ERROR Fatal error during SupportedServerStartable startup. Prepare to shutdown (bigcompany.support.metrics.SupportedKafka)
bigcompany.kafka.security.fips.exceptions.InvalidFipsTlsCipherSuiteException: FIPS 140-2 Configuration Error, invalid cipher suites: TLS_DHE_DSS_WITH_AES_96_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_96_CBC_SHA