Skip to content

Working with Workload Identity Manager and FIPS

Workload Identity Manager images are available in both standard and FIPS formats.

  • Use standard (non-FIPS) images if performance is a key factor for you, or you need access to newer cryptographic algorithms. If you don't have regulatory compliance needs, a standard image may be the better choice.
  • Using FIPS images allows companies to meet regulatory compliance, particularly for government agencies or contractors, as well as finance and health sectors, and ensures that data is protected with robust, validated encryption and security measures. FIPS mode also provides robust data security ensuring that data, both at rest and in transit, is protected.

Federal Information Processing Standards (FIPS) mode makes Workload Identity Manager use the system's cryptographic libraries. In the Workload Identity Manager FIPS container images, these cryptographic libraries are FIPS 140-2 validated.

Important

Not all cryptographic algorithms are FIPS-validated. Workload Identity Manager automatically disables non-FIPS algorithms for TLS-served API endpoints, including REST and gRPC. Algorithms permitted for certificate issuance are configured in the control plane. To ensure Workload Identity Manager uses only approved algorithms, enforce your corporate security policies to restrict non-compliant key types and signing algorithms.

Important

The FIPS cryptographic libraries included in our Workload Identity Manager FIPS container images require your underlying platform to operate FIPS mode. When running on Kubernetes and OpenShift, this means that all worker nodes must run in FIPS mode too. For more information, see Running Kubernetes and OpenShift in FIPS mode.

For information on FIPS mode on the major cloud platforms, see the following documentation: FIPS compliance

Running Kubernetes and OpenShift in FIPS mode

Confirming Kubernetes and OpenShift are running in FIPS mode

For each of the nodes in your cluster, you can confirm it is running in FIPS mode by checking the Node Kernel FIPS Flag:

kubectl debug -it node/<node_name> --image=ubuntu -- chroot /host cat /proc/sys/crypto/fips_enabled

Expected output:

1

Enforcing FIPS mode on Workload Identity Manager instances

You can enforce FIPS mode for your Workload Identity Manager instances on both Certificate Manager - SaaS and Certificate Manager - Self-Hosted.

Enforcing FIPS mode in Certificate Manager - SaaS

To ensure that all Workload Identity Manager instances run in FIPS mode in Certificate Manager - SaaS:

  1. Sign into Certificate Manager - SaaS.
  2. Click Configurations>Issuer Configurations, and select the issuer configuration you want to update.

  3. In the side panel that opens, select the Require Issuer instances to be FIPS compliant checkbox.

    Tip

    You can also set this parameter when you create a new configuration. For more information, see Workload Identity Manager configurations.

Enforcing FIPS mode in Certificate Manager - Self-Hosted

To ensure that Workload Identity Manager instances run in FIPS mode in Certificate Manager - Self-Hosted, set the following parameter in your Workload Identity Manager configuration file:

...
advancedSettings:
  requireFIPSCompliantBuild: true

For information on installing Workload Identity Manager using FIPS mode, see:

Deploying Workload Identity Manager on Kubernetes using Helm

For information on building a container image for Workload Identity Manager that uses an HSM, see:

Building a container image for Workload Identity Manager that uses an HSM