FIPS compliance

Federal Information Processing Standards (FIPS) 140-2 is the US and Canadian federal standard, which includes compelling security and interoperability standards. IBM Cloud Pak® for Business Automation 23.0.2 can be configured to be FIPS-compliant.

Cloud Pak for Business Automation uses the IBM FIPS wall approach to achieve FIPS 140-2 compliance. For more information about the approach, see Considerations for FIPS.

Cloud Pak for Business Automation FIPS enablement must be configured, as it is disabled by default.

Before you begin

Before you install Cloud Pak for Business Automation, set up a FIPS wall for Cloud Pak foundational services. For instructions, see Foundational services regulatory compliance.

You do not need to do the following tasks because Cloud Pak for Business Automation handles these tasks for foundational services:

  • Configure foundational services routes as re-encrypt routes
  • Configure foundational services events operator to create internal listeners only
  • Configure the CommonServices CR in FIPS mode

OpenShift Container Platform

In the Red Hat® OpenShift® Container Platform configuration file install-config.yaml, you must set "fips: true". For more information, see Support for FIPS cryptography.

Note: You can run the cp4a-clusteradmin-setup.sh script to check the FIPS mode of your cluster.

Red Hat Enterprise Linux (RHEL)

The Linux® hosts must use RHEL 8.2 or higher. On each of the hosts that run FIPS-compliant workloads, you need to enable the FIPS mode.

To enable FIPS on a host, set "fips=1" on the kernel command at installation time. All the cryptographic keys that are generated are FIPS-compliant.

If a host is already installed, you can enable it. For more information, see Switching the system to FIPS mode.

Note: If your organization is entitled to FIPS compliance, RHEL hosts can be configured by default to enable FIPS.

Cloud Pak capabilities

By default, the enablement of Cloud Pak for Business Automation containers for FIPS is turned off.

FIPS enablement for Cloud Pak for Business Automation capabilities is configured in the custom resource (CR), under the shared_configuration section. 

shared_configuration:
    enable_fips: true
Tip: You cannot enable FIPS on a single capability when the shared configuration enable_fips parameter is set to false.

For more information about the CR parameters, see Custom resource configuration parameters.