To enable Federal Information Processing Standard (FIPS) 140-2 cryptographic module self-checks, you must operate RHEL 8 in FIPS mode.
This page provides detailed instructions on how to enable FIPS mode on a fresh or existing RHEL 8 installation. It lists the specific configurations and settings required to activate FIPS-compliant operations in your Carbon Black EDR system.
Note:
- These instructions are provided here for your convenience. If they do not match your experience, we recommend you review the Red Hat installation instructions (external link).
- Running Carbon Black EDR Server 7.8.0 in FIPS mode is officially supported on RHEL 8.2, 8.6, 8.7, and 8.8.
- If you have an existing RHEL 8 system, proceed directly to Step 6 in the following procedure to enable FIPS by using the
fips-mode-setup utility.
- If you have a cluster deployment, run the following steps on all nodes.
Procedure
- Boot RHEL 8 and select Install Red Hat Enterprise Linux 8.x.
- To display the
vmlinuz boot line, press the Tab key.
- Add
FIPS=1 to the boot line and press Enter.
- The system reboots and begins the installation process.
- During installation using the
FIPS=1 kernel flag, RHEL 8 generates FIPS-compliant cryptography keys for the system.
Note: Do not install third-party software at this time.
- Disable
kdump.
- Complete the installation process and reboot.
- Login as
root and run the following command:
The following message displays if FIPS is enabled:
FIPS mode is enabled.
If FIPS is not enabled, run the following command:
reboot and rerun fips-mode-setup --check.
Note:
fips-mode-setup is a utility that is provided with RHEL 8.x. It is used to check and control the system FIPS mode.
When enabling FIPS mode, fips-mode-setup completes the installation of FIPS modules (if needed) by calling fips-finish-install and changing the system cryptographic policy to FIPS. The command then modifies the boot loader configuration to add fips=1 and boot=<boot-device> options to the kernel command line.
