Put Linux/CentOS into FIPS Mode
Be very careful when making the changes outlined in this section. If you enter any values incorrectly, it could prevent your DX from booting up. If you make any mistakes when entering values, you may need to reinstall your DX.
For more details on configuring FIPS on RHEL, see https://www.dogtagpki.org/wiki/Configuring_FIPS_on_RHEL.
Configuring FIPS Mode
- Go to /etc/default/grub and edit the file by adding the following:
fips=1
boot=value Install the following packages:
CODE$ yum -y install prelink dracut-fipsDisable prelink:
CODE$ cat /etc/sysconfig/prelink | grep PRELINKING PRELINKING=no $ prelink -u -aRecreate the initramfs file:
CODE$ dracut -fIdentify the partition:
CODE$ df /boot Filesystem 1K-blocks Used Available Use% Mounted on /dev/vda1 1038336 147424 890912 15% /bootIdentify the universally unique identifier (UUID) of the partition:
CODE$ blkid /dev/vda1 /dev/vda1: UUID="21f4da90-4055-47e4-8971-763691191f14" TYPE="xfs"Edit the /etc/default/grub file to add fips=1 and boot=value, as indicated in the command below:
CODEGRUB_TIMEOUT=5 GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)" GRUB_DEFAULT=saved GRUB_DISABLE_SUBMENU=true GRUB_TERMINAL="serial console" GRUB_SERIAL_COMMAND="serial --unit=1 --speed=19200" GRUB_CMDLINE_LINUX="fips=1 boot=UUID=21f4da90-4055-47e4-8971-763691191f14 crashkernel=auto rd.lvm.lv=rhel_nocp11/root rd.lvm.lv=rhel_nocp11/swap console=ttyS1,19200" GRUB_DISABLE_RECOVERY="true"Regenerate grub.cfg:
CODE$ grub2-mkconfig -o /boot/grub2/grub.cfg Generating grub configuration file ... Found linux image: /boot/vmlinuz-3.10.0-655.el7.x86_64 Found initrd image: /boot/initramfs-3.10.0-655.el7.x86_64.img Found linux image: /boot/vmlinuz-0-rescue-e9f58f1897434fada2858923988fd2ca Found initrd image: /boot/initramfs-0-rescue-e9f58f1897434fada2858923988fd2ca.img DoneReboot the system:
CODE$ rebootVerify that the system is running in FIPS mode:
CODE$ sysctl crypto.fips_enabled crypto.fips_enabled = 1