FIPS 140-2 compliance

IBM Cloud Pak® for Business Automation uses the FIPS 140-2 approved cryptographic providers and IBM® Crypto for C (ICC) for cryptography.

FIPS compliance is conditioned by the following prerequisites and limitations.

OpenShift Container Platform (OCP)

In the OCP configuration file install-config.yaml, you need to set "fips: true". For more information, see Support for FIPS cryptography.

Red Hat Enterprise Linux® (RHEL)

The Linux hosts must use RHEL 8.2 or higher. On each of the hosts that run FIPS-compliant workloads, you need to enable the FIPS mode.

To enable FIPS on a host, set "fips=1" on the kernel command at installation time. All the cryptographic keys that are generated are FIPS-compliant.

If a host is already installed, you can enable it by following Switching the system to FIPS mode.

Note: If your organization is entitled to FIPS compliance, the RHEL hosts can be configured by default to enable FIPS.
Cloud Pak dependencies

For more information about configuring FIPS compliance for Common Services, see Configuring Common Services.

Red Hat certification dependency

Cloud Pak for Business Automation updates regularly its Red Hat UBI images, which are linked to specific RHEL versions. For instance, the current version uses UBI with RHEL 8.4. Some languages use dynamic linking to system libraries, and the Cloud Pak components are only FIPS-compliant when the corresponding RHEL version is certified.

  • The Red Hat FIPS certification status can be found at https://access.redhat.com/articles/2918071.
  • The status is:
    • RHEL 8.2: Certified.
    • RHEL 8.3 and 8.4: Ongoing certification.
    • RHEL-8.4 Kernel: A separate ongoing certification.
Cloud Pak capabilities

Cloud Pak for Business Automation is mostly based on Java™, and all the Java containers are FIPS-compliant. The following parts of the Cloud Pak use some open source packages, which are not FIPS-compliant:

  • Business Automation Application Engine
  • Automation Document Processing
  • Business Automation Studio
  • Automation Decisions Service

For Operational Decision Manager, you must activate FIPS manually by using an external Java option. For more information, see Customizing JVM options.