To ensure compliance with STIG standards, it is necessary to enable FIPS modules in the Hyperglance containers. This comprehensive guide will walk you through the process step-by-step.
PLEASE NOTE:
The base image for all 3 of the Hyperglance containers is Ubuntu 20.04. To enable FIPS compliant modules within these containers, they must be running on a matching host. All of our marketplace images utilise this as the base, but if you have utilised the Hyperglance Installer on a non Ubuntu 20.04 OS, then this guide will not work for your deployment, and is currently unsupported.
For customers who are using our Kubernetes deployment options, we are currently working on developing a comprehensive guide that will be released soon. Stay tuned for updates!
Read the guide most appropriate to your setup:
New Hyperglance Deployment - Hyperglance Marketplace Image's
- Acquire an Ubuntu Pro Token from the Ubuntu Pro dashboard.
- Install the Ubuntu Pro Client
sudo apt update
sudo apt install ubuntu-advantage-tools
- Attach your Ubuntu Pro Token to the OS
sudo pro attach <your_pro_token>
- Enable fips-updates
sudo ua enable fips-updates
- Reboot the os, and then check to see if fips has been enabled. The expected output is 1.
cat /proc/sys/crypto/fips_enabled
- If you are NOT already using an ubuntu-fips image:
Edit the file located at /etc/fips/pro-attach-config.yml and insert your ubuntu pro token. - Run the following command. This adds the hg-fips-up alias to your bashrc.
echo 'alias hg-fips-up="sudo docker stop wildfly httpd postgresql && sudo docker rm wildfly httpd postgresql && sudo docker-compose -f /etc/docker-compose.yml pull && sudo docker-compose -p hyperglance-fips -f /etc/docker-compose-fips.yml up -d --build"' >> ~/.bashrc
- Reload your shell so the new alias is available.
exec bash
- Run the following command to build and run the fips enabled containers
hg-fips-up
- You can verify that you're running the fips-enabled containers by running the following command:
sudo docker ps
New Hyperglance Deployment - Hyperglance Installer
You can either use a fips-compliant Ubuntu 20.04 marketplace image, or a standard Ubuntu 20.04 LTS image. If using a fips-compliant marketplace image, skip to Hyperglance Installation.
Preparation - Run these steps on the Hyperglance host
- Acquire an Ubuntu Pro Token from the Ubuntu Pro dashboard.
- Install the Ubuntu Pro Client
sudo apt update
sudo apt install ubuntu-advantage-tools
- Attach your Ubuntu Pro Token to the OS
sudo pro attach <your_pro_token>
- Enable fips-updates
sudo ua enable fips-updates
- Reboot the os, and then check to see if fips has been enabled. The expected output is 1.
cat /proc/sys/crypto/fips_enabled
Hyperglance Installation
This deployment should be run from any system that has ssh access to the target. Do NOT run it on the same machine that you are installing to. Execute the deployment from a remote system, or control node where your private key(s) already resides.
This method will use a docker container to deploy Hyperglance to another system that you have SSH access to.
From your "local" machine perform the following commands to start the deployment:
-
docker pull hyperglance/hyperglance_installer
-
In the same directory create an inventory file:
touch inventory
- Populate this file with the following content, replace the IP Address with the target IP, and change the ansible_user if required and add in your ubuntu pro token. Do not change the key name.
[hg]
HOST_IP OR DNS NAME
[all:vars]
ansible_user=<SSH username>
ansible_ssh_private_key_file=~/.ssh/id_rsa
ubuntu_pro_token=<your_pro_token>
4. Execute the following command. Make sure to adjust key path binding if necessary (if your key is not ~/.ssh./id_rsa) and map it to /root/.ssh/id_rsa in the container:
For example:
-v ~/.ssh/MY_KEY:/root/.ssh/id_rsa
docker run --rm -it \
-v ~/.ssh/id_rsa:/root/.ssh/id_rsa \
-v $(pwd)/inventory:/ansible/playbooks/inventory \
hyperglance/hyperglance_installer:latest deploy.yml -i inventory
5. You will see some output from the container as it deploys, failed=0 is a good sign of success
PLAY RECAP *******************************************************************************************************************************************************************************
ip-172-31-30-191 : ok=14 changed=8 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
hg-fips-up
The above command is an alias for the following command
sudo docker stop wildfly httpd postgresql && sudo docker rm wildfly httpd postgresql && sudo docker-compose -f /etc/docker-compose.yml pull && sudo docker-compose -p hyperglance-fips -f /etc/docker-compose-fips.yml up -d --build"
sudo docker ps
Existing Hyperglance Deployment
- Check your Hyperglance installation OS. You can use the following command:
lsb_release -a
If the Release matches 20.04, we can proceed. - Create a backup of your instance. Converting a non fips enabled OS to a fips enabled OS is not reversible. The backup process will depend on your cloud provider.
- Acquire an Ubuntu Pro Token from the Ubuntu Pro dashboard.
- Install the Ubuntu Pro Client
sudo apt update
sudo apt install ubuntu-advantage-tools
- Attach your Ubuntu Pro Token to the OS
sudo pro attach <your_pro_token>
- Enable fips-updates
sudo ua enable fips-updates
- Reboot the os, and then check to see if fips has been enabled. The expected output is 1.
cat /proc/sys/crypto/fips_enabled
-
Check your Hyperglance instance for the following files that are required. These exist on newer Hyperglance Marketplace images.
-
/etc/fips/Dockerfile-fips-httpd
-
/etc/fips/Dockerfile-fips-postgresql
-
/etc/fips/Dockerfile-fips-wildfly
-
/etc/fips/pro-attach-config.yml
-
/etc/docker-compose-fips.yml
-
-
If the files exist, skip ahead to step 15, otherwise proceed to the next step.
- Download the following archive to the Hyperglance instance, and extract the contents.
wget https://support.hyperglance.com/hubfs/fips-files/fips-bundle.tar.gz
tar xzvf fips-bundle.tar.gz - Copy the extracted fips directory to the /etc/ directory and change permissions
sudo cp -R fips /etc/fips
sudo chmod -R 600 /etc/fips/* - Copy the extracted docker-compose-fips.yml to /etc/docker-compose-fips.yml
sudo cp docker-compose-fips.yml /etc/docker-compose-fips.yml
sudo chmod 600 /etc/docker-compose-fips.yml - Add the alias to build the fips enabled containers to the .bashrc file at /home/ec2-user/.bashrc
echo 'alias hg-fips-up="sudo docker stop wildfly httpd postgresql && sudo docker rm wildfly httpd postgresql && sudo docker-compose -f /etc/docker-compose.yml pull && sudo docker-compose -p hyperglance-fips -f /etc/docker-compose-fips.yml up -d --build"' >> ~/.bashrc
- Reload the .bashrc file
exec bash
- Edit /etc/fips/pro-attach-config.yml to include your ubuntu pro token.
- Run the following command to build and run the fips enabled containers
hg-fips-up
- You can verify that you're running the fips-enabled containers by running the following command:
sudo docker ps