General Config/Admin
      Back to home
      1. Hyperglance Support
      2. Setup & Configuration
      3. General Config/Admin

      Enable FIPS modules in Hyperglance Containers

      To ensure compliance with STIG standards, it is necessary to enable FIPS modules in the Hyperglance containers. This comprehensive guide will walk you through the process step-by-step.

      PLEASE NOTE:

      The base image for all 3 of the Hyperglance containers is Ubuntu 20.04. To enable FIPS compliant modules within these containers, they must be running on a matching host. All of our marketplace images utilise this as the base, but if you have utilised the Hyperglance Installer on a non Ubuntu 20.04 OS, then this guide will not work for your deployment, and is currently unsupported.

      For customers who are using our Kubernetes deployment options, we are currently working on developing a comprehensive guide that will be released soon. Stay tuned for updates!

       

      Read the guide most appropriate to your setup:

      New Hyperglance Deployment - Hyperglance Marketplace Image's

      1. Acquire an Ubuntu Pro Token from the Ubuntu Pro dashboard.
      2. Install the Ubuntu Pro Client 
        sudo apt update
        sudo apt install ubuntu-advantage-tools
      3. Attach your Ubuntu Pro Token to the OS
        sudo pro attach <your_pro_token>
      4. Enable fips-updates 
        sudo ua enable fips-updates
      5. Reboot the os, and then check to see if fips has been enabled. The expected output is 1.
        cat /proc/sys/crypto/fips_enabled
      6. If you are NOT already using an ubuntu-fips image:
        Edit the file located at /etc/fips/pro-attach-config.yml and insert your ubuntu pro token.
      7. Run the following command. This adds the hg-fips-up alias to your bashrc.
        echo 'alias hg-fips-up="sudo docker stop wildfly httpd postgresql && sudo docker rm wildfly httpd postgresql && sudo docker-compose -f /etc/docker-compose.yml pull && sudo docker-compose -p hyperglance-fips -f /etc/docker-compose-fips.yml up -d --build"' >> ~/.bashrc
      8. Reload your shell so the new alias is available. 
        exec bash
      9. Run the following command to build and run the fips enabled containers 
        hg-fips-up
      10. You can verify that you're running the fips-enabled containers by running the following command: 
        sudo docker ps

      New Hyperglance Deployment - Hyperglance Installer

      You can either use a fips-compliant Ubuntu 20.04 marketplace image, or a standard Ubuntu 20.04 LTS image. If using a fips-compliant marketplace image, skip to Hyperglance Installation.

      Preparation - Run these steps on the Hyperglance host

      1. Acquire an Ubuntu Pro Token from the Ubuntu Pro dashboard.
      2. Install the Ubuntu Pro Client 
        sudo apt update
        sudo apt install ubuntu-advantage-tools
      3. Attach your Ubuntu Pro Token to the OS
        sudo pro attach <your_pro_token>
      4. Enable fips-updates 
        sudo ua enable fips-updates
      5. Reboot the os, and then check to see if fips has been enabled. The expected output is 1.
        cat /proc/sys/crypto/fips_enabled

      Hyperglance Installation

      This deployment should be run from any system that has ssh access to the target. Do NOT run it on the same machine that you are installing to. Execute the deployment from a remote system, or control node where your private key(s) already resides.

      This method will use a docker container to deploy Hyperglance to another system that you have SSH access to.

      From your "local" machine perform the following commands to start the deployment:

      1. docker pull hyperglance/hyperglance_installer
      2. In the same directory create an inventory file:
        touch inventory 
      3. Populate this file with the following content, replace the IP Address with the target IP, and change the ansible_user if required and add in your ubuntu pro token. Do not change the key name.
        [hg]
        HOST_IP OR DNS NAME

        [all:vars]
        ansible_user=<SSH username>
        ansible_ssh_private_key_file=~/.ssh/id_rsa
        ubuntu_pro_token=<your_pro_token>

      4.  Execute the following command. Make sure to adjust key path binding if necessary (if your key is not ~/.ssh./id_rsa) and map it to /root/.ssh/id_rsa in the container:

      For example:
      -v ~/.ssh/MY_KEY:/root/.ssh/id_rsa

      docker run --rm -it \
       -v ~/.ssh/id_rsa:/root/.ssh/id_rsa \
       -v $(pwd)/inventory:/ansible/playbooks/inventory \
       hyperglance/hyperglance_installer:latest deploy.yml -i inventory

      5. You will see some output from the container as it deploys, failed=0 is a good sign of success

      PLAY RECAP *******************************************************************************************************************************************************************************
      ip-172-31-30-191 : ok=14 changed=8 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
      6. Run the following command to build and run the fips enabled containers 
      hg-fips-up

      The above command is an alias for the following command

      sudo docker stop wildfly httpd postgresql && sudo docker rm wildfly httpd postgresql && sudo docker-compose -f /etc/docker-compose.yml pull && sudo docker-compose -p hyperglance-fips -f /etc/docker-compose-fips.yml up -d --build"
      7. You can verify that you're running the fips-enabled containers by running the following command: 
      sudo docker ps

      Existing Hyperglance Deployment

      1. Check your Hyperglance installation OS. You can use the following command: 
        lsb_release -a
        If the Release matches 20.04, we can proceed.
      2. Create a backup of your instance. Converting a non fips enabled OS to a fips enabled OS is not reversible. The backup process will depend on your cloud provider.
      3. Acquire an Ubuntu Pro Token from the Ubuntu Pro dashboard.
      4. Install the Ubuntu Pro Client 
        sudo apt update
        sudo apt install ubuntu-advantage-tools
      5. Attach your Ubuntu Pro Token to the OS
        sudo pro attach <your_pro_token>
      6. Enable fips-updates 
        sudo ua enable fips-updates
      7. Reboot the os, and then check to see if fips has been enabled. The expected output is 1.
        cat /proc/sys/crypto/fips_enabled
      8. Check your Hyperglance instance for the following files that are required. These exist on newer Hyperglance Marketplace images.
        1. /etc/fips/Dockerfile-fips-httpd
        2. /etc/fips/Dockerfile-fips-postgresql
        3. /etc/fips/Dockerfile-fips-wildfly
        4. /etc/fips/pro-attach-config.yml
        5. /etc/docker-compose-fips.yml
      9. If the files exist, skip ahead to step 15, otherwise proceed to the next step.
      10. Download the following archive to the Hyperglance instance, and extract the contents. 
        wget https://support.hyperglance.com/hubfs/fips-files/fips-bundle.tar.gz
        tar xzvf fips-bundle.tar.gz
      11. Copy the extracted fips directory to the /etc/ directory and change permissions 
        sudo cp -R fips /etc/fips
        sudo chmod -R 600 /etc/fips/*
      12. Copy the extracted docker-compose-fips.yml to /etc/docker-compose-fips.yml 
        sudo cp docker-compose-fips.yml /etc/docker-compose-fips.yml
        sudo chmod 600 /etc/docker-compose-fips.yml
      13. Add the alias to build the fips enabled containers to the .bashrc file at /home/ec2-user/.bashrc 
        echo 'alias hg-fips-up="sudo docker stop wildfly httpd postgresql && sudo docker rm wildfly httpd postgresql && sudo docker-compose -f /etc/docker-compose.yml pull && sudo docker-compose -p hyperglance-fips -f /etc/docker-compose-fips.yml up -d --build"' >> ~/.bashrc
      14. Reload the .bashrc file 
        exec bash
      15. Edit /etc/fips/pro-attach-config.yml to include your ubuntu pro token.
      16. Run the following command to build and run the fips enabled containers 
        hg-fips-up
      17. You can verify that you're running the fips-enabled containers by running the following command: 
        sudo docker ps