FIPS 140-2 enabled PE

This release was removed from general availability due to upgrade issues.
Docs for the latest available release are here.
This version is out of date. For current versions, see Puppet Enterprise support lifecycle.

Puppet Enterprise (PE) is available in a FIPS (Federal Information Processing Standard) 140-2 enabled version. This version is compatible with select third party FIPS-compliant platforms.

To install FIPS-enabled PE, install the appropriate FIPS-enabled primary server or agent package on a supported platform with FIPS mode enabled. Primary and compiler nodes must be configured with sufficient available entropy for the installation process to succeed.

Changes in FIPS-enabled PE installations

In order to operate on FIPS-compliant platforms, PE includes the following changes:
  • All components are built and packaged against system OpenSSL for the primary server, or against OpenSSL built in FIPS mode for agents.
  • All use of MD5 hashes for security has been eliminated and replaced.
  • Forge and module tooling use SHA-256 hashes to verify the identity of modules.
  • Proper random number generation devices are used on all platforms.
  • All Java and Clojure components use FIPS Bouncy Castle encryption providers on FIPS-compliant platforms.

Limitations and cautions for FIPS-enabled PE installations

Be aware of the following when installing FIPS-enabled PE.
  • Migrating from non-FIPS versions of PE to FIPS-enabled PE requires reinstalling on a supported platform with FIPS mode enabled.
  • Disaster recovery configurations are not supported for FIPS-enabled PE.
  • FIPS-enabled PE installations don't support extensions or modules that use the standard Ruby Open SSL library, such as hiera-eyaml or the splunk_hec module. As a workaround, you can use a non-FIPS-enabled primary server with FIPS-enabled agents, which limits the issue to situations where only the agent uses the Ruby library.
  • Due to a known issue with the pe-client-tools packages, puppet code and puppet db commands fail with SSL handshake errors when run on FIPS-compliant platforms. To use puppet db commands on a FIPS-compliant platform, install the puppetdb_cli Ruby gem. To use puppet code commands on a FIPS-compliant platform, use the Code Manager API.
Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.