[jira] [Commented] (NIFI-14048) Ed25519 and RHEL 9 in FIPS Mode

Mon, 25 Nov 2024 11:37:20 -0800 


    [ 
https://issues.apache.org/jira/browse/NIFI-14048?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17901009#comment-17901009
 ] 

David Handermann commented on NIFI-14048:
-----------------------------------------

Thanks for reporting this issue [~namastenerd].

Can you provide some additional information regarding the Java security policy 
in your environment? Is this based on the default policy included with Red Hat 
9.5 for FIPS mode, or does the security policy include any customization beyond 
what RHEL 9.5 provides?

NIST finalized and published [FIPS 
186-5|https://csrc.nist.gov/pubs/fips/186-5/final] in February 2023, which 
included Ed25519 as one of several algorithms approved for digital signatures.

The NiFi projects aims for optimal security options as much as possible, but it 
is worth noting that compatibility with FIPS 140 Java Security Providers is not 
tested or guaranteed. With that being said, it is helpful to understand various 
use cases and deployment scenarios, so any additional information you can 
provide as far as the security policy, the Java vendor, and Java version, would 
be helpful.

> Ed25519 and RHEL 9 in FIPS Mode
> -------------------------------
>
>                 Key: NIFI-14048
>                 URL: https://issues.apache.org/jira/browse/NIFI-14048
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Core Framework, Security
>    Affects Versions: 2.0.0
>         Environment: On a Red Hat 9.5 FIPS mode installation, NiFi 2.0 will 
> not start since Ed25519 (and Ed448) signatures are disabled in the 
> system-wide FIPS crypto policy. We are unable to deviate from this crypto 
> policy.
>            Reporter: Angela E
>            Priority: Critical
>
> On a Red Hat 9.5 FIPS mode installation, NiFi 2.0 will not start since 
> Ed25519 (and Ed448) signatures are disabled in the system-wide FIPS crypto 
> policy. We are unable to deviate from this crypto policy.
>  
> JSON Web Token change in NiFi 2.0.0-M4 as referenced in:
>  
> https://issues.apache.org/jira/browse/NIFI-13424
>  
> When attempting to start, NiFi issues this exception:
>  
> Factory method 'keyGenerationCommand' threw exception with message: 
> java.security.NoSuchAlgorithmException: Ed25519 KeyPairGenerator not available
>  
> Recommending an optional setting in nifi.properties to allow the JWT to 
> revert to previous PS512 signatures. 
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to