FIPS 140-2 enabled PE

Sections

Puppet Enterprise (PE) is available in a FIPS (Federal Information Processing Standard) 140-2 enabled version. This version is compatible with select third party FIPS-compliant platforms.

To install FIPS-enabled PE, install the appropriate FIPS-enabled master or agent package on a supported platform with FIPS mode enabled. Master and compiler nodes must be configured with sufficient available entropy for the installation process to succeed.

Changes in FIPS-enabled PE installations

In order to operate on FIPS-compliant platforms, PE includes the following changes:
  • All components are built and packaged against system OpenSSL for the master, or against OpenSSL built in FIPS mode for agents.
  • All use of MD5 hashes for security has been eliminated and replaced.
  • Forge and module tooling use SHA-256 hashes to verify the identity of modules.
  • Proper random number generation devices are used on all platforms.
  • All Java and Clojure components use FIPS Bouncy Castle encryption providers on FIPS-compliant platforms.

Limitations and cautions for FIPS-enabled PE installations

Be aware of the following when installing FIPS-enabled PE.
  • Migrating from non-FIPS versions of PE to FIPS-enabled PE requires reinstalling on a supported platform with FIPS mode enabled.
  • Disaster recovery configurations are not supported for FIPS-enabled PE.
  • FIPS-enabled PE installations don't support extensions or modules that use the standard Ruby Open SSL library, such as hiera-eyaml or the splunk_hec module. As a workaround, you can use a non-FIPS-enabled master with FIPS-enabled agents, which limits the issue to situations where only the agent uses the Ruby library.
  • Due to a known issue with the pe-client-tools packages, puppet code and puppet db commands fail with SSL handshake errors when run on FIPS-compliant platforms. To use puppet db commands on a FIPS-compliant platform, install the puppetdb_cli Ruby gem. To use puppet code commands on a FIPS-compliant platform, use the Code Manager API.
How helpful was this page?

If you leave us your email, we may contact you regarding your feedback. For more information on how Puppet uses your personal information, see our privacy policy.

Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.