Login/Register
Enable FIPS on PostgreSQL database
Asked Answered
postgresqlopensslfips
S

3

8

Can someone please specify the steps to enable FIPS on Postgres Database? I have googled but was not able to find anything concrete.

Sorcerer answered 21/8, 2012 at 14:23 Comment(4)
FIPS = Federal Information Processing Standards?Monopoly
You might want to edit your question and explain in a little more detail. See stackoverflow.com/faq#howtoask . Define "FIPS"? What exactly do you want to enable, and what do you expect enabling it to do? What gives you the idea there's something called "FIPS" you can enable? Are you used to this from another database? If so, which one? You didn't find anything concrete in Google, ok, what did you find? Links? Please follow up, as this question will otherwise get closed.Crash
yes, Federal Information Processing Standards 140-2, I want that the postgres database should be installed/running in FIPS compliant mode. If it runs in the compliant mode, the data transfer process with use encryption algorithm something like aes-128 etc. The reason why am I looking for this is our product is going FIPS compliant and I want to test whether it can communicate with FIPS compliant database.Sorcerer
Specifying the target operating system would help clarify the question.Outrank
F
4

Can someone please specify the steps to enable FIPS on Postgres Database?

I don't believe you can run Postgres in "FIPS mode" because of its use of non-approved cryptography. From a past audit, I know it makes extensive use of MD5 (see, for example, Postgres Mailing List: Use of MD5. So lots of stuff is going to break in practice.

Notwithstanding, here are the steps to try and do it via OpenSSL. There are three parts because Postgres is not FIPS-aware, and you need to make some modifications to Postgres.

Step One

You have to build OpenSSL for the configuration. This is a two step process. First you build the FIPS Object Module; and second, you build the FIPS Capable Library.

To build the FIPS Object Module, first you download `openssl-fips-2.n.n.tar.gz. After unpacking, you perform:

./configure
make
sudo make install

After you run the above commands, the fipscanister will be located in /usr/local/ssl/fips-2.0. The FIPS Capable Library will use it to provide the FIPS Validated Cryptography.

Second, you download openssl-1.n.n.tar.gz. After unpacking, you perform:

./configure fips shared <other options>
make all
sudo make install

The critical part is the fips option during configure.

After you run the above commands, you will have a FIPS Capable Library. The library will be located in /usr/local/ssl/lib. Use libcrypto.so and libssl.so as always.

The FIPS Capable Library uses the fipscanister, so you don't need to worry about what's in /usr/local/ssl/fips-2.0. Its just an artifact from building FIPS Object Module (some hand waiving).

Step Two

Find where Postgres calls SSL_library_init:

$ grep -R SSL_library_init *
...
src/backend/libpq/be-secure.c:      SSL_library_init();
src/interfaces/libpq/fe-secure.c:           SSL_library_init();

Open be-secure.c and fe-secure.c, and add a call to FIPS_mode_set.

/* be-secure.c, near line 725 */
static void
initialize_SSL(void)
{
    struct stat buf;

    STACK_OF(X509_NAME) *root_cert_list = NULL;

#if defined(OPENSSL_FIPS)
    int rc;
    rc = FIPS_mode();
    if(rc == 0)
    {
        rc = FIPS_mode_set(1);
        assert(1 == rc);
    }
#endif

    if (!SSL_context)
    {
#if SSLEAY_VERSION_NUMBER >= 0x0907000L
        OPENSSL_config(NULL);
#endif
        SSL_library_init();
        SSL_load_error_strings();
        ...
    }
    ...
}

If the call to FIPS_mode_set succeeds, then you will be using FIPS Validated cryptography. If it fails, you will still be using OpenSSL's cryptography, but it will not be FIPS Validated cryptography.

You will also need to add the following headers to be-secure.c and fe-secure.c:

#include <openssl/opensslconf.h>
#include <openssl/fips.h>

Step Three

The final step is to ensure you are using the FIPS Capable Library from step one. Do that via CFLAGS and LDFLAGS:

cd postgres-9.3.2
export CFLAGS="-I/usr/local/ssl/include"
export LDFLAGS="-L/usr/local/ssl/lib"

./config --with-openssl <other options>
...
Fungicide answered 15/2, 2014 at 12:50 Comment(3)
PostgreSQL can definitely be run in FIPS mode on a properly configured RHEL system. See the answer below regarding the STIG by buzz3791.Asbury
@JosephConway - OpenSSL may be providing FIPS validated cryptography, but that does not mean Postrgres is using it. If Postgres is still using MD5, then they certainly are not complying with FIPS 140-2. There's only one MD5 exception I am aware, and that is the PRF function in TLS. The only way to know for certain is to audit Postgres. But I have not done that in several years.Fungicide
I am happy to discuss offline sometime, but we have addressed this in the PostgreSQL STIG. If you put OpenSSL in FIPS mode at the OS level per the Red Hat docs (and Ubuntu and SUSE have similar options) then PostgreSQL does use it. I have verified this with gdb in a live session. You also have to avoid using MD5 for password hashing, but that is easily done by using an external (LDAP, GSS, Kerberos, etc) or cert auth method in pg_hba.conf (or scram-sha-256 in pg10).Asbury
O
4

For PostgreSQL on Red Hat Linux, the https://public.cyber.mil/stigs/downloads/ web site has a Security Technical Implementation Guide for PostgreSQL 9.x which has this check.

Rule Title: PostgreSQL must implement NIST FIPS 140-2 validated 
cryptographic modules to protect unclassified information requiring
confidentiality and cryptographic protection, in accordance with the data
owners requirements.
STIG ID:    PGS9-00-008200
Rule ID:    SV-87645r1_rule
Vuln ID:    V-72993

The "Fix Text" reads

Configure OpenSSL to be FIPS compliant. 

PostgreSQL uses OpenSSL for cryptographic modules. To configure OpenSSL to
be FIPS 140-2 compliant, see the official RHEL Documentation:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Federal_Standards_And_Regulations-Federal_Information_Processing_Standard.html

For more information on configuring PostgreSQL to use SSL, see supplementary
content APPENDIX-G.

Joseph Conway pointed out "the Appendix G the STIG refers to is in the PostgreSQL STIG supplement, not the [postgresql.org] docs. You can get the supplement (and the rest of the STIG) here: https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_PGS_SQL_9-x_V2R1_STIG.zip

Outrank answered 16/11, 2017 at 16:0 Comment(2)
Actually the Appendix G the STIG refers to is in the PostgreSQL STIG supplement, not the comunity docs. You can get the supplement (and the rest of the STIG) here: iasecontent.disa.mil/stigs/zip/U_PostgreSQL_9-x_V1R1_STIG.zipAsbury
For what it's worth, it appears that Ubuntu now supports systemwide FIPS mode as well for OpenSSL. See section 9.1.1 of this doc for how to set it up (untested by me): csrc.nist.gov/csrc/media/projects/…Asbury
O
1

As I understand your question you are looking at trying to ensure that you can encrypt data transferred to and from PostgreSQL using AES algorithms. While FIPS goes well beyond that, and well beyond what can be asked in Q&A, that question at least is easily answerable.

The simple solution is to use SSL with a certificate authority of your choice (if you are using Active Directory, you could use Certificate Server, and if not you could use OpenSSL to run your own certificate authority). You could then specify which encryption standards to use (see official docs). From there encryption will be used and your server will be authenticated to your clients. You can also set up client certs and require those to be authenticated as well.

Overtask answered 7/4, 2013 at 7:37 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.