[Freeipa-users] Re: FreeIPA and FIPS

2021-04-19 Thread Alexander Bokovoy via FreeIPA-users
ce via FreeIPA-users < freeipa-users@lists.fedorahosted.org> Reply-To: FreeIPA users list To: FreeIPA users list Cc: Steve Reed , Simo Sorce Subject: [Freeipa-users] Re: FreeIPA and FIPS Date: Mon, 19 Apr 2021 17:08:04 -0400 Hi Steve, On Mon, 2021-04-19 at 19:08 +, Steve Reed via FreeIP

[Freeipa-users] Re: FreeIPA and FIPS

2021-04-19 Thread Ian Willis via FreeIPA-users
orahosted.org> Reply-To: FreeIPA users list To: FreeIPA users list Cc: Steve Reed , Simo Sorce Subject: [Freeipa-users] Re: FreeIPA and FIPS Date: Mon, 19 Apr 2021 17:08:04 -0400 Hi Steve, On Mon, 2021-04-19 at 19:08 +, Steve Reed via FreeIPA-users wrote: > Hi Stephen, > True. I unders

[Freeipa-users] Re: FreeIPA and FIPS

2021-04-19 Thread Simo Sorce via FreeIPA-users
Hi Steve, On Mon, 2021-04-19 at 19:08 +, Steve Reed via FreeIPA-users wrote: > Hi Stephen, > > True. I understand that, but I think we are getting off track to my > original question. Can you run a FIPS FreeIPA server and still have > the clients work with it? It't not necessarily required

[Freeipa-users] Re: FreeIPA and FIPS

2021-04-19 Thread Stephen John Smoogen via FreeIPA-users
On Mon, 19 Apr 2021 at 15:09, Steve Reed via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi Stephen, > > True. I understand that, but I think we are getting off track to my > original question. Can you run a FIPS FreeIPA server and still have the > clients work with it? It't

[Freeipa-users] Re: FreeIPA and FIPS

2021-04-19 Thread John Keates via FreeIPA-users
In that case, let's save you some additional time: FIPS mode is not beneficial, unless you are contractually required to shoot yourself in the foot and get a FIPS audit done. Aside from that (somewhat obvious) fact, it would be useful for the list if you stated why you want this, and if you kno

[Freeipa-users] Re: FreeIPA and FIPS

2021-04-19 Thread Steve Reed via FreeIPA-users
Hi Stephen, True. I understand that, but I think we are getting off track to my original question. Can you run a FIPS FreeIPA server and still have the clients work with it? It't not necessarily required to have the clients FIPS compliant, but the server must since it has to do the encryptio

[Freeipa-users] Re: FreeIPA and FIPS

2021-04-19 Thread Stephen John Smoogen via FreeIPA-users
On Mon, 19 Apr 2021 at 11:33, Steve Reed via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi Rob, > > So, are you saying that CENTOS is not FIPS compliant? Because there is a > long list of web sites that state that CENTOS and RHEL are FIPS 140-2 > compliant. > > He is talking a

[Freeipa-users] Re: FreeIPA and FIPS

2021-04-19 Thread John Keates via FreeIPA-users
What Rob (and Alexander) are saying is: your auditor will do an audit and tell you if you are FIPS compliant. While using software in FIPS-compliant mode might reduce the amount of work you'll need to do to be compliant, it's not some sort of labeling procedure where you need show some specs tha

[Freeipa-users] Re: FreeIPA and FIPS

2021-04-19 Thread Steve Reed via FreeIPA-users
Hi Rob, So, are you saying that CENTOS is not FIPS compliant? Because there is a long list of web sites that state that CENTOS and RHEL are FIPS 140-2 compliant. https://www.google.com/search?q=is+centos+7+fips+compliant&rlz=1C1DKCZ_enUS768US768&oq=Is+Centos+7+FIPS+com&aqs=chrome.0.0j69i57j0i39

[Freeipa-users] Re: FreeIPA and FIPS

2021-04-19 Thread Alexander Bokovoy via FreeIPA-users
On ma, 19 huhti 2021, Steve Reed via FreeIPA-users wrote: I'm just concerned that if FIPS is set on the server, that it will force all clients to use FIPS as well and reject them if they are not FIPS enabled. As Rob pointed out in his response, it is not an easy yes/no answer. FIPS mode is typ

[Freeipa-users] Re: FreeIPA and FIPS

2021-04-19 Thread Rob Crittenden via FreeIPA-users
Steve Reed via FreeIPA-users wrote: > I'm using CENTOS 7. I post to this Fedora site for FreeIPA because I was > told this is the place for these types of questions. I apologize if this is > the wrong place. What he was saying is that FIPS certifications are not transitive, they are for a part

[Freeipa-users] Re: FreeIPA and FIPS

2021-04-19 Thread Steve Reed via FreeIPA-users
I'm just concerned that if FIPS is set on the server, that it will force all clients to use FIPS as well and reject them if they are not FIPS enabled. Thanks, Steve ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe s

[Freeipa-users] Re: FreeIPA and FIPS

2021-04-19 Thread Steve Reed via FreeIPA-users
I'm using CENTOS 7. I post to this Fedora site for FreeIPA because I was told this is the place for these types of questions. I apologize if this is the wrong place. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe

[Freeipa-users] Re: FreeIPA and FIPS

2021-04-15 Thread Christian Heimes via FreeIPA-users
On 14/04/2021 22.07, Steve Reed via FreeIPA-users wrote: > If I successfully install FreeIPA in FIPS mode, does that mean that all my > clients that call on the server need to be in FIPS mode as well? Or can I > just have the server in FIPS mode and the clients in whatever mode I want? FreeIPA

[Freeipa-users] Re: FreeIPA and FIPS

2021-04-14 Thread Rob Crittenden via FreeIPA-users
Steve Reed via FreeIPA-users wrote: > If I successfully install FreeIPA in FIPS mode, does that mean that all my > clients that call on the server need to be in FIPS mode as well? Or can I > just have the server in FIPS mode and the clients in whatever mode I want? We don't, and currently have