FIPS 140-2 compliance

Federal Information Processing Standards (FIPS) are publicly available standards and guidelines issued by the National Institute of Standards and Technology for use in computer systems by non-military American government agencies and government contractors. You can configure CDP Private Cloud Base to use FIPS-compliant cryptography.

To install and configure a CDP cluster that is FIPS-compliant, see Installing and Configuring CDP with FIPS. In combination with AutoTLS, the cluster will use BouncyCastle FIPS Keystore (BCFKS) across all the components.

Note the following points about FIPS compliance in CFM:
  • CFM is compatible with a FIPS 140-2 compliant environment.
  • CFM can run on an OS with FIPS turned on and can use FIPS-compliant crypto libraries.
  • By default, the KeyStore and TrustStore are in Java KeyStore (JKS) format. This format is not FIPS compliant.
  • By default, NiFi dataflows are not FIPS compliant. You must specifically design a dataflow to be FIPS compliant.
  • You can encrypt NiFi sensitive properties, such as the password for a database connection pool service, with a secret key generated by the FIPS 140-2 approved PBKDF2 algorithm. For information on how to do this, see Encrypting NiFi sensitive properties with FIPS 140-2 approved algorithm.
  • If you want to implement FIPS mode on your CFM cluster, you should use the bctls-safelogic.jar, which uses Galois/Counter Mode (GCM) ciphers. GCM ciphers are not allowed by the NiFi Java process by default. For configuration information, see Configuring NiFi to use GCM ciphers.

For additional details on the FIPS 140-2 Publication, see FIPS 140-2 Security Requirements for Cryptographic Modules.