On Mon, 19 Apr 2021 at 15:09, Steve Reed via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
Hi Stephen,
True. I understand that, but I think we are getting off track to my
original question. Can you run a FIPS FreeIPA server and still have the
clients work with it? It't not necessarily required to have the clients
FIPS compliant, but the server must since it has to do the encryption for
data that it stores.
And I appreciate that everyone is trying to save me some time, but it has
been decided that we will use FIPS unless it proves not beneficial.
FIPS compliance basically says the system will only use a certain subset of
encryption algorithms and no others. Where this can cause problems are the
following:
1. Systems with old software or hardware. If your environment has
hardware/software from before 2012, then they may not be able to talk to
EL8 systems in FIPS mode without software being updated on those systems.
2. Systems with really new software. The general place I see this is where
someone sets their algorithms to FUTURE or some brand-new 'I am writing a
paper for an RFC to the IETF which will cover this' method.
3. Systems which are configured to use modern but non-compliant algorithms
(I think GOST, some elliptical algoritms etc.)
In those cases, you end up with weird 'why isn't this working' problems
which can take a while to diagnose in a large environment. In smaller ones
it is usually 'well don't do that' or 'time for your manager to approve
that upgrade budget'.
--
Stephen J Smoogen.