You can use the FIPS validation tool to verify that specific components and services are FIPS-compliant by checking the signatures of the files against a signed signature file, and by checking that services are using the certified algorithms.
Download Signature Files
You need to download an appropriate, signed signature file before you run validation. Verify which version of DKP you are running to ensure you are downloading the manifest that is compliant with the DKP release number on your system. Use the links in the tables that follows to obtain a valid file:
DKP version 2.3
Operating System version
Run FIPS validation
To verify the cluster is FIPS compliant, run the
dkp check cluster fips. This command reads from the local manifest that was downloaded from the tables above in order to validate that specific components and services are FIPS-compliant. Run the command:
dkp check cluster fips --signature-file=manifest.asc --signature-configmap=signatures --output-configmap=output
The full command usage and flags include:
dkp check cluster fips [flags]
-h, --help help for fips -n, --namespace string If present, the namespace scope for this CLI request. (default "default") --output-configmap string ConfigMap with fips signature data to verify. [required] --signature-configmap string ConfigMap with fips signature data to verify. [required] --signature-file string File containing fips signature data.
Validation command example
Upon successful completion, the command’s output displays details about the deployment in JSON format. If validation fails, the command returns a non-zero status.
For example, to validate FIPS-mode operation with the signature file,
manifest-rhel8.json.asc, you would run the following command:
dkp check cluster fips \ --signature-file manifest-rhel8.json.asc \ --signature-configmap prod-rhel8-fips-signatures \ --output-configmap prod-rhel8-fips-validation
Run FIPS validation with existing ConfigMap
If you already have a signature ConfigMap, you can omit the
signature-file flag, as in the following sample command:
dkp check cluster fips \ --signature-configmap prod-rhel8-fips-signatures \ --output-configmap prod-rhel8-fips-validation
In this case, the validation tool checks the cluster using the existing signature data and returns deployment details in JSON format.