Configuring for FIPS compliance
The FileNet Content Manager container deployment can be configured to be Federal Information Processing Standards (FIPS)-compliant.
The FIPS enablement must be configured, as it is disabled by default.
OpenShift Container Platform (OCP)
In the OCP configuration file install-config.yaml, you must set
"fips: true". For more information, see Support for FIPS cryptography.
Red Hat Enterprise Linux (RHEL)
The Linux® hosts must use RHEL 8.2 or higher. On each of the hosts that run FIPS-compliant workloads, you need to enable the FIPS mode.
To enable FIPS on a host, set "fips=1" on the kernel command at installation
time. All the cryptographic keys that are generated are FIPS-compliant.
If a host is already installed, you can enable it. For more information, see Switching the system to FIPS mode.
FNCM components
By default, the enablement of the FNCM containers for FIPS is turned off.
FIPS enablement for FNCM components is configured in the custom resource (CR), under the
shared_configuration section.
shared_configuration:
enable_fips: truefalse.If you want to disable any component in your deployment, then you must set the
disable_fips parameter to true in the component sections of
the CR. The following configuration parameters disable FIPS for FileNet Content Manager and
Navigator.
ecm_configuration:
disable_fips: true
navigator_configuration:
disable_fips: true- The following database restrictions are known:
- Due to a dependency on JKS keystores, PostgreSQL JDBC data sources cannot use
verify-caorverify-fullSSL options. Use therequireSSL mode option.
- Due to a dependency on JKS keystores, PostgreSQL JDBC data sources cannot use
- Pay attention to the length of passwords used by the deployment. For example, password lengths
in the following secrets need to be at least 16 characters long:
ibm-fncm-secretandibm-ban-secret.
For more information about the CR parameters, see Custom resource configuration parameters.