Groups keyboard shortcuts have been updated
Dismiss
See shortcuts
FIPS and Globus
22 views
Skip to first unread message
Chandin Wilson
Apr 24, 2025, 10:18:01 AMApr 24
to dis...@globus.org
Hi All, but particularly the Globus infrastructure folks --
I upgraded a GCS5 endpoint to Rocky 9.5 (Redhat 9 based), which is now FIPS compliant and enabled by default.
The initial connectivity tests pass -- directory listings in the web interface and such -- but the actual data movement fails (with a fairly opaque openssl error) because the Globus infrastructure isn't FIPS compliant.
This was a real head scratcher until I figured it out. I was able to downgrade to Rocky 8, but that's not a long term solution.
What's the plan for getting the Globus infrastructure FIPS compliant?
thanks,
--Chan
Chan Wilson SAIC for NOAA GFDL Toolsmith
General Specialist, Info Tech RDHPCS Security
chandin...@noaa.gov +1-608-216-5689
I upgraded a GCS5 endpoint to Rocky 9.5 (Redhat 9 based), which is now FIPS compliant and enabled by default.
The initial connectivity tests pass -- directory listings in the web interface and such -- but the actual data movement fails (with a fairly opaque openssl error) because the Globus infrastructure isn't FIPS compliant.
This was a real head scratcher until I figured it out. I was able to downgrade to Rocky 8, but that's not a long term solution.
What's the plan for getting the Globus infrastructure FIPS compliant?
thanks,
--Chan
Chan Wilson SAIC for NOAA GFDL Toolsmith
General Specialist, Info Tech RDHPCS Security
chandin...@noaa.gov +1-608-216-5689
Michael Link
Apr 24, 2025, 4:24:07 PMApr 24
to dis...@globus.org
Hi Chandin,
We have GCS endpoints running successfully on hosts with FIPS enabled.
It looks like for 9.5, enabling FIPS also installs a system crypto
policy that disables the use of the NULL cipher, which is needed for
unencrypted data transfers. Given that restriction, you'll need to
force encryption on your collections. You can do that by passing the
'--force-encryption' option to the collection create/update command.
Let us know if you have any issues with that. We'll make sure to note
this behavior in our documentation.
Mike
We have GCS endpoints running successfully on hosts with FIPS enabled.
It looks like for 9.5, enabling FIPS also installs a system crypto
policy that disables the use of the NULL cipher, which is needed for
unencrypted data transfers. Given that restriction, you'll need to
force encryption on your collections. You can do that by passing the
'--force-encryption' option to the collection create/update command.
Let us know if you have any issues with that. We'll make sure to note
this behavior in our documentation.
Mike
Chandin Wilson
Apr 24, 2025, 4:46:37 PMApr 24
to ml...@globus.org, dis...@globus.org
AHA!
Excellent, thank you. I shall adjust the collection accordingly.
For documentation and troubleshooting reference sections, the errors reported when logging was cranked up all the way were:
OpenSSL Error: [...] in library: SSL routines, function (null): unsupported
OpenSSL Error: [...] in library: Provider routines, function (null): ems not enabled
cheers,
--Chan
> To unsubscribe from this group and stop receiving emails from it, send
> an email to discuss+u...@globus.org.
Excellent, thank you. I shall adjust the collection accordingly.
For documentation and troubleshooting reference sections, the errors reported when logging was cranked up all the way were:
OpenSSL Error: [...] in library: SSL routines, function (null): unsupported
OpenSSL Error: [...] in library: Provider routines, function (null): ems not enabled
cheers,
--Chan
> an email to discuss+u...@globus.org.
Reply all
Reply to author
Forward
0 new messages