Encrypting communications performed by IBM Cloud Private

Network communications in the IBM Cloud Private environment must be encrypted for FIPS compliance.

Encrypt cluster data network traffic with IPsec and enable FIPS mode for TLS encryption of network traffic to external endpoints. Complete the following steps:

1. Install Docker for your boot node only. For more information, see Installing IBM Cloud Private Native, Enterprise, and Community editions.

2. As you set up the installation environment, be sure to use the /opt/ibm/icp directory as the installation directory. Verify that the directory exists, run the following commands:

    mkdir -p /opt/ibm/icp
   
    cd /opt/ibm/icp
   

3. Customize your cluster configuration and enable IPsec. See enable encryption of cluster data network traffic with IPsec for more information. Edit the /opt/ibm/icp/cluster/config.yaml file and add the following values to the parameters:

   ## Network Settings 

   ## Calico Network Settings 

   calico_ipip_mode: Always 

   calico_tunnel_mtu: 1390 

   calico_ip_autodetection_method: interface=eth0

**Note:** Make sure you use the correct interface for the `calico_ip_autodetection_method`. You must encrypt the interface for pod-to-pod commuications.

Configuring IPsec

Encrypt cluster data network with IPsec. To configure IPsec, complete the following steps:

1. Locate and edit the IPSec mesh Settings in your config.yaml file. Add the following values to the parameters:

    ## IPSec mesh Settings
    ## If user wants to configure IPSec mesh, the following parameters
    ## should be configured through config.yaml
    ipsec_mesh:
      enable: true
      subnets: ["172.16.0.0/16"]
      exclude_ips: [ "172.16.200.0/24" ]
   

   The following list describes the parameters for the IPSec mesh Settings:

   • subnets: A list of encrypted subnets that are IP addresses on the set of nodes of your cluster. The subnet addresses must not overlap with the management IP addresses that are included in the cluster hosts file.

   • exclude_ips: A list of the IP addresses from the subnets parameter that should not be encrypted with IPsec.

     Note: Consider what other communications cannot be encrypted from the subnets list and exclude the addresses. The addresses, 172.16.200.0/24 are excluded because the name servers that are used by the nodes are in the subnet.

2. Verify that the hosts file references the management IP addresses of the IBM Cloud Private nodes. The IPsec configuration should not overlap with the hosts file from IBM Cloud Private.

   Your cluster hosts configuration might resemble the following content:

    [master] 
   
    192.168.160.145 
   
    [worker] 
   
    192.168.160.157 
   
    192.168.160.206 
   
    [proxy] 
   
    192.168.160.145
   

   Note: The IPsec configuration defined in the config.yaml file is for the data network eth0.

For more details on configuring the hosts file, see Setting the node roles in the hosts file.

1. Enable FIPS mode on the components in IBM Cloud Private. In your config.yaml file, locate and edit the fips_enabled parameter. Your config.yaml file might resemble the following text:

    fips_enabled: true
   

   After you enable FIPS, the following components in IBM Cloud Private are in FIPS mode:

   • IBM Cloud Private management ingress (management console)

   • NGINX ingress controller (ingress service)

   • Docker registry

   • Image manager

   • WebSphere Liberty Application Server (authentication manager)

After you configure IPsec and enable FIPS, save the config.yaml file and continue installing IBM Cloud Private.

Continue to implement and enable FIPS for the example. See Example: Enabling FIPS in IBM Cloud Private for more details.