This section provides guidance on enabling FIPS mode on RHEL 8, ensuring a secure and compliant environment for Edge for Private Cloud versions 4.53.00 or higher.
Pre-install
Ensure that FIPS is enabled on your nodes along with the other standard configuration prerequisites listed in the Edge Installation Overview documentation.
fips-mode-setup --check FIPS mode is enabled. # Command output
If FIPS mode is currently disabled, refer to the official Red Hat documentation for instructions on how to enable it: Switching RHEL 8 to FIPS mode.
Java requirements
The Java you use should be downloaded from Red Hat's repository to ensure that its security modules are FIPS-compliant, enabling FIPS-specific restrictions through Java security.
Installation
In the Edge Configuration File Reference, set FIPS_OS=true on each node. You can follow the general installation steps for Edge for Private Cloud as usual.
Private key format
Only PKCS12/PFX format can be used to upload private keys to Apigee keystores for use in your API proxies or virtual hosts. For guidance on creating the file, refer to Converting certificates to supported format.
General TLS operations
When using Edge for Private Cloud 4.53.00 or later on FIPS-enabled RHEL 8.X, most TLS-related component configurations of Edge will need to be done via PKCS12 or BCFKS format keystores.
Refer to FIPS-specific documentation or notes in relevant articles for TLS configuration to get more details. The appendix lists some helpful commands that can be used to generate these keystores.
Default Java keystore/truststore
When Edge for Private Cloud 4.53.00 or later is used on FIPS-enabled RHEL 8.X, your message processor, management server, and other edge-* components rely on a default truststore and keystore provided with the product.
These contain CA certificates that your application trusts by default. If you wish to use your own store containing CA certificates, follow the procedure below:
-
Create a BCFKS format
cacertsfile that contains all the CA certificates that you want to trust. Ensure that the keystore password and key password are the same. Refer to the appendix for more details. -
Place the file in an appropriate path and ensure it is readable by the apigee user:
cp my-cacerts.bcfks /opt/apigee/customer/application/my-cacerts.bcfks chown apigee:apigee /opt/apigee/customer/application/my-cacerts.bcfks
-
Create (or edit) the appropriate configuration file based on the component you’re working with:
Component File edge-management-server $/opt/apigee/customer/application/management-server.properties edge-message-processor $/opt/apigee/customer/application/message-processor.properties edge-router $/opt/apigee/customer/application/router.properties edge-postgres-server $/opt/apigee/customer/application/postgres-server.properties edge-qpid-server $/opt/apigee/customer/application/qpid-server.properties -
Add the following lines to the file:
conf_system_javax.net.ssl.trustStore=<PATH to bcfks cacerts> conf_system_javax.net.ssl.trustStorePassword=changeme conf_system_javax.net.ssl.keyStore=<PATH to bcfks cacerts> conf_system_javax.net.ssl.keyStoreType=BCFKS conf_system_javax.net.ssl.keyStorePassword=changeme
-
Ensure that the configuration file is owned by and readable by the apigee user:
chown apigee:apigee $opt/apigee/customer/application/<file>.properties
-
Restart the component:
/opt/apigee/apigee-service/bin/apigee-service <component> restart
Appendix
BCFKS keystore operation sample commands
The command below generates a BCFKS keystore with a self-signed key and certificate pair:
keytool -genkeypair -keyalg RSA -alias node0 -validity 365 -keystore keystore.node0 \ -storepass keypass -keypass keypass -v \ -dname "EMAILADDRESS=youremail@domain.com, CN=yourcn, OU=yourou, O=youro, L=yourl, C=yourc" \ -storetype BCFKS -providerpath /opt/apigee/edge-gateway/lib/thirdparty/bc-fips-1.0.2.4.jar \ -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providername BCFIPS
Keytool commands remain consistent with those typically used, but the following options must be included in the keytool command:
--storetype BCFKS -providerpath /opt/apigee/edge-gateway/lib/thirdparty/bc-fips-1.0.2.4.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providername BCFIPS
Keytool Arguments
| Keytool Argument | Description |
|---|---|
-storetype |
Set the store type to BCFKS. |
-providerpath |
Specify the path to bc-fips-XXXX.jar. This version may change in future OPDK releases. Use the version shipped by Apigee or download it from Bouncycastle’s repositories. For OPDK 4.53, the path should be /opt/apigee/edge-gateway/lib/thirdparty/bc-fips-1.0.2.4.jar. |
-providerclass |
Set this to org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider. |
-providername |
Set this to BCFIPS. |
Similar keytool commands can be used to import or export certificates and/or keys from or to a BCFKS format keystore. For more information on how to work with BCFKS, check the BouncyCastle documentation.
PKCS12 Store
To generate a PKCS12 store, openssl commands can be used:
# Generate a self-signed private key and certificate openssl req -x509 -newkey rsa:2048 -keyout private.key -out certificate.pem -sha256 -days 36500 -nodes -subj "/C=yourc/ST=yourst/L=yourl/O=youro/OU=yourou/CN=cn/emailAddress=email" # Package the above generated key and cert into a PKCS12 openssl pkcs12 -export -clcerts -in certificate.pem -inkey private.key -out keystore.pfx -name myalias
If you have your own private key and certificate and need to convert them into a PKCS12 format, refer to Converting certificates to supported format.