This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Implementing FIPS 140-2

Implementing FIPS 140-2 on your Vertica Analytic Database requires configuration on the server and client.

Implementing FIPS 140-2 on your Vertica Analytic Database requires configuration on the server and client. While Vertica server uses FIPS-approved algorithms, Vertica clients may be running on non-FIPS-approved systems. Therefore, you must implement FIPS 140-2 compliance from end to end.

For more information on implementing FIPS, see:

1 - FIPS compliance for the Vertica server

To make Vertica FIPS-compliant, you must:.

To make Vertica FIPS-compliant, you must:

  • Set the RequireFIPS parameter to 1.

  • Hash your passwords with SHA-512. See Hash authentication for details.

  • Generate a signed TLS certificate to establish a secure connection to the client.

RequireFIPS parameter

Vertica sets the RequireFIPS configuration parameter on the server on startup to reflect the state of FIPS on the system: 1 if FIPS is enabled and 0 if FIPS is disabled.

The value of RequireFIPS matches the value of crypto.fips_enabled file.

Vertica sets the RequireFIPS parameter based on the contents of crypto.fips_enabled:

  • If the file /proc/sys/crypto/fips_enabled exists and contains a 1 (FIPS-enabled), Vertica sets RequireFIPS to 1.

  • If the file /proc/sys/crypto/fips_enabled does not exist, or exists and contains a 0 (non-FIPS), Vertica automatically sets RequireFIPS to 0.

  • If the FIPS state of a node, as determined from the existence of /proc/sys/crypto/fips_enabled, differs from the state received from the cluster initiator, the node fails. This behavior prevents the creation of clusters of mixed FIPS and non-FIPS systems.

Secure client-server connection

It's important to secure client-server connections with TLS. For instructions on setting up client-server TLS, see Configuring client-server TLS.

FIPS-Compliant AWS endpoints

To configure AWS to use a FIPS-compliant S3 Endpoint, set the following S3 parameters:


AWSEndpoint = s3-fips.dualstack.us-east-1.amazonaws.com
S3EnableVirtualAddressing = 1

2 - Implement FIPS on the client

Vertica provides a FIPS-compliant client driver, which you can install on a FIPS-enabled system.

Vertica provides a FIPS-compliant client driver, which you can install on a FIPS-enabled system. The 64-bit client includes vsql and ODBC drivers.

For information about installing the FIPS client, and installation, refer to the following