Enable FIPS
The option is enabled when VTL/SIR software is first installed on an appliance. Follow the instructions below for an OBD 9.00 system running on Linux 7 if it was not enabled and it is now needed:
1. Install dracut-fips rpm (and its dependencies).
#yum install dracut-fips
2. Install the dracut-fips-aesni package for enhanced performance.
Run the following command to determine if the system CPU supports AES-NI:
#grep -qw aes /proc/cpuinfo && echo YES || echo NO
If the above returns YES, it is recommended (but not required) to install dracut-fips-aesni.
#yum install dracut-fips-aesni
3. If the prelink package is installed then disable prelinking:
#rpm -q prelink && sed -i '/^PRELINKING/s,yes,no,' /etc/sysconfig/prelink
#rpm -q prelink && prelink -uav
4. Back up the existing initramfs:
#mv -v /boot/initramfs-$(uname -r).img{,.bak}
5. Run dracut to rebuild initramfs:
#dracut
6. Edit the kernel at the command line to include the fips=1 argument:
#grubby –update-kernel=$(grubby –default-kernel) –args=fips=1
7. Edit the kernel at the command-line to include boot=UUID=XXXX:
#uuid=$(findmnt -no uuid /boot)
#[[ -n $uuid ]] && grubby –update-kernel=$(grubby –default-kernel) –args=boot=UUID=${uuid}
8. Adjust the /etc/ssh/sshd_config settings in Ciphers and MACs to be FIPS ready.
Ciphers aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
MACs hmac-sha1
9. Attempt a reboot.
#reboot
10. Confirm that FIPS is in enforcing mode after reboot. The crypto.fips_enabled sysctl should report 1.
#sysctl crypto.fips_enabled
crypto.fips_enabled = 1
11. Configure the GRUB2 kernel at the command line in /etc/default/grub for use with grub2-mkconfig:
#sed -i '/^GRUB_CMDLINE_LINUX=/s/"$/ fips=1"/' /etc/default/grub
#uuid=$(findmnt -no uuid /boot)
#[[ -n $uuid ]] && sed -i "/^GRUB_CMDLINE_LINUX=/s/\"$/ boot=UUID=${uuid}\"/" /etc/default/grub
12. Use grub2-mkconfig to make a new grub.conf:
# grub2-mkconfig -o /boot/grub2/grub.cfg
13. Reboot again to check that FIPS is on by default.