FIPS 140-2 enabled PE

Sections

Puppet Enterprise (PE) is available in a FIPS (Federal Information Processing Standard) 140-2 enabled version. This version is compatible with select third party FIPS-compliant platforms.

To install FIPS-enabled PE, install the appropriate FIPS-enabled primary server or agent package on a supported platform with FIPS mode enabled. Primary and compiler nodes must be configured with sufficient available entropy for the installation process to succeed.

Changes in FIPS-enabled PE installations

In order to operate on FIPS-compliant platforms, PE includes the following changes:
  • All components are built and packaged against system OpenSSL for the primary server, or against OpenSSL built in FIPS mode for agents.
  • All use of MD5 hashes for security has been eliminated and replaced.
  • Forge and module tooling use SHA-256 hashes to verify the identity of modules.
  • Proper random number generation devices are used on all platforms.
  • All Java and Clojure components use FIPS Bouncy Castle encryption providers on FIPS-compliant platforms.

Limitations and cautions for FIPS-enabled PE installations

Be aware of the following when installing FIPS-enabled PE.
  • Migrating from non-FIPS versions of PE to FIPS-enabled PE requires reinstalling on a supported platform with FIPS mode enabled.
  • Disaster recovery configurations are not supported for FIPS-enabled PE.
  • FIPS-enabled PE installations don't support extensions or modules that use the standard Ruby Open SSL library, such as hiera-eyaml or the splunk_hec module. As a workaround, you can use a non-FIPS-enabled primary server with FIPS-enabled agents, which limits the issue to situations where only the agent uses the Ruby library.
  • Due to a known issue with the pe-client-tools packages, puppet code and puppet db commands fail with SSL handshake errors when run on FIPS-compliant platforms. To use puppet db commands on a FIPS-compliant platform, install the puppetdb_cli Ruby gem. To use puppet code commands on a FIPS-compliant platform, use the Code Manager API.
Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.