Encrypting communications performed by IBM Cloud Private
Network communications in the IBM Cloud Private environment must be encrypted for FIPS compliance.
Encrypt cluster data network traffic with IPsec and enable FIPS mode for TLS encryption of network traffic to external endpoints. Complete the following steps:
-
Install Docker for your boot node only. For more information, see Installing IBM Cloud Private Native, Enterprise, and Community editions.
-
As you set up the installation environment, be sure to use the
/opt/ibm/icp
directory as the installation directory. Verify that the directory exists, run the following commands:mkdir -p /opt/ibm/icp cd /opt/ibm/icp
-
Customize your cluster configuration and enable IPsec. See enable encryption of cluster data network traffic with IPsec for more information. Edit the
/opt/ibm/icp/cluster/config.yaml
file and add the following values to the parameters:
## Network Settings
## Calico Network Settings
calico_ipip_mode: Always
calico_tunnel_mtu: 1390
calico_ip_autodetection_method: interface=eth0
**Note:** Make sure you use the correct interface for the `calico_ip_autodetection_method`. You must encrypt the interface for pod-to-pod commuications.
Configuring IPsec
Encrypt cluster data network with IPsec. To configure IPsec, complete the following steps:
-
Locate and edit the
IPSec mesh Settings
in yourconfig.yaml
file. Add the following values to the parameters:## IPSec mesh Settings ## If user wants to configure IPSec mesh, the following parameters ## should be configured through config.yaml ipsec_mesh: enable: true subnets: ["172.16.0.0/16"] exclude_ips: [ "172.16.200.0/24" ]
The following list describes the parameters for the
IPSec mesh Settings
:-
subnets
: A list of encrypted subnets that are IP addresses on the set of nodes of your cluster. The subnet addresses must not overlap with the management IP addresses that are included in the clusterhosts
file. -
exclude_ips
: A list of the IP addresses from thesubnets
parameter that should not be encrypted with IPsec.Note: Consider what other communications cannot be encrypted from the subnets list and exclude the addresses. The addresses,
172.16.200.0/24
are excluded because the name servers that are used by the nodes are in the subnet.
-
-
Verify that the
hosts
file references the management IP addresses of the IBM Cloud Private nodes. The IPsec configuration should not overlap with thehosts
file from IBM Cloud Private.Your cluster
hosts
configuration might resemble the following content:[master] 192.168.160.145 [worker] 192.168.160.157 192.168.160.206 [proxy] 192.168.160.145
Note: The IPsec configuration defined in the
config.yaml
file is for the data networketh0
.
For more details on configuring the hosts file, see Setting the node roles in the hosts file.
-
Enable FIPS mode on the components in IBM Cloud Private. In your
config.yaml
file, locate and edit thefips_enabled
parameter. Yourconfig.yaml
file might resemble the following text:fips_enabled: true
After you enable FIPS, the following components in IBM Cloud Private are in FIPS mode:
-
IBM Cloud Private management ingress (management console)
-
NGINX ingress controller (ingress service)
-
Docker registry
-
Image manager
-
WebSphere Liberty Application Server (authentication manager)
-
After you configure IPsec and enable FIPS, save the config.yaml
file and continue installing IBM Cloud Private.
Continue to implement and enable FIPS for the example. See Example: Enabling FIPS in IBM Cloud Private for more details.