Mark created FLINK-35626:
----------------------------
Summary: Add support for FIPS
Key: FLINK-35626
URL: https://issues.apache.org/jira/browse/FLINK-35626
Project: Flink
Issue Type: New Feature
Reporter: Mark
In order to be able to use Apache Flink in certain environments with strict
compliance requirements, the application may need to be compliant with
FIPS-140-2.
The path to produce a FIPS complaint image can vary, depending on the
programming language and application itself. For Java, this may involve:
* For any bundled crypto, utilising FIPS versions, i.e the FIPS version of
BouncyCastle (bcfips). Alternatively, ensuring there is no bundled crypto, and
all operations fallback to the JRE / OpenSSL on the host
* Where keystores are required, support for creating bckfs keystore types
* Producing a base image with OpenSSL configured for FIPS, as well as a JRE
configured for FIPS (such as bcfips)
* No use of unapproved crypto algorithms, such as DES, MD5, SHA1 etc
It would be great if Flink was able to support FIPS - by that, I mean ensuring
all requirements are met, and some documentation outlining how this is met and
enforced.
>From a quick scan of the codebase, I don't see any direct references to
>bouncycastle (either non-fips or fips), but I do see several places where md5
>and sha1 are used for example.
Support for FIPS would increase the use-cases for deploying Flink in secure
environments. Thanks for taking this into consideration.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
