FIPS compliance for the Vertica server

To make Vertica FIPS-compliant, you must:.

To make Vertica FIPS-compliant, you must:

Set the RequireFIPS parameter to 1.
Hash your passwords with SHA-512. See Hash authentication for details.
Generate a signed TLS certificate to establish a secure connection to the client.

RequireFIPS parameter

Vertica sets the RequireFIPS configuration parameter on the server on startup to reflect the state of FIPS on the system: 1 if FIPS is enabled and 0 if FIPS is disabled.

The value of RequireFIPS matches the value of crypto.fips_enabled file.

Vertica sets the RequireFIPS parameter based on the contents of crypto.fips_enabled:

If the file /proc/sys/crypto/fips_enabled exists and contains a 1 (FIPS-enabled), Vertica sets RequireFIPS to 1.
If the file /proc/sys/crypto/fips_enabled does not exist, or exists and contains a 0 (non-FIPS), Vertica automatically sets RequireFIPS to 0.
If the FIPS state of a node, as determined from the existence of /proc/sys/crypto/fips_enabled, differs from the state received from the cluster initiator, the node fails. This behavior prevents the creation of clusters of mixed FIPS and non-FIPS systems.

Important

If you attempt to restore a FIPS-enabled node to a non-FIPS cluster, the restore will fail.

Secure client-server connection

It's important to secure client-server connections with TLS. For instructions on setting up client-server TLS, see Configuring client-server TLS.

FIPS-Compliant AWS endpoints

To configure AWS to use a FIPS-compliant S3 Endpoint, set the following S3 parameters:


AWSEndpoint = s3-fips.dualstack.us-east-1.amazonaws.com
S3EnableVirtualAddressing = 1