4 FIPS Mode Deployment

To use Oracle Linux Virtualization Manager in Federal Information Processing Standard (FIPS) mode, you must install your operating system with FIPS mode enabled before you install Oracle Linux Virtualization Manager.

You can create a FIPS-enabled bare metal machine by either installing the operating system in FIPS mode or by switching the system into FIPS mode after installing the operating system. See Configuring an Oracle Linux System in FIPS Mode for instructions.

Important:

Enabling FIPS mode while installing the operating system ensures all the generated keys use the FIPS-approved algorithms and undertake continuous monitoring tests.

Deploy on a FIPS Enabled System

Whether you are using a standalone or self-hosted engine deployment, ensure you already have FIPS enabled on the system(s) you want use for your deployment. To check, we recommend you run the following command on your system(s):

# fips-mode-setup --check
FIPS mode is enabled.

Important:

Although it is possible to enable FIPS mode on any installed Oracle Linux server, Oracle does not support enabling it on an already deployed Engine or KVM host.

Standalone Engine and KVM hosts

Once you have enabled your system for FIPS, follow the Installation and Configuration instructions.

Self-Hosted-Engine

Once you have enabled your system for FIPS, follow the Deploying the Self-Hosted Engine instructions.

At the enable FIPS prompt, answer Yes.

Do you want to enable FIPS? (Yes/No) [No]: Yes

Encrypt VNC Console Connections

When you deploy Oracle Linux Virtualization Manager using FIPS enabled systems, you must ensure VNC console connections are encrypted.

Enable VNC Encryption at Cluster Level

When you have deployed Oracle Linux Virtualization Manager on FIPS enabled systems, you must enable VNC encryption to access virtual machine consoles. Do this at the cluster level:

1. From the Administration Portal, go to Compute > Clusters.
2. Edit the Cluster where you want to enable VNC Encryption.
3. Click on the Console tab on the left.
4. Check the Enable VNC Encryption checkbox and then click OK.

Reinstall KVM Host

After enabling VNC encryption, you are prompted to reinstall the KVM host, which applies all the required options to enable the VNC encrypted console connection.

Note:

On all hosts assigned to the self-hosted engine, from the Reinstall dialog go to the Hosted-Engine tab and select Deploy.

1. From the Administration Portal, go to Compute > Hosts.
2. Select a host to configure, click Management, and then click Maintenance.
3. Click the Installation button.
4. Select Reinstall and uncheck "Reboot host after installation".
5. Click OK.

Run VNC SASL Ansible Playbook on KVM Hosts

To apply the playbook, the KVM host must be in Maintenance mode. You can run the playbook on more than one host at a time. Add all KVM hosts to be configured to the /etc/hosts file, one host per line. Ensure that those hosts are in Maintenance mode before applying the playbook.

1. From the Administration Portal, go to Compute > Hosts.
2. Select the host you want to configure, click Management, and then click Maintenance.
3. SSH into the Engine server.
4. Ansible tries to find the best Python interpreter to use. Set it to /usr/bin/python3 to avoid errors, then run the ovirt-vnc-sasl.yml playbook:

   # cd /usr/share/ovirt-engine/ansible-runner-service-project/project/
    
   # sed -ri.orig '/defaults/ainterpreter_python = /usr/bin/python3' ansible.cfg
    
   # echo "IP-OR-HOSTNAME" > hosts
    
   # ansible-playbook --ask-pass --inventory=hosts ovirt-vnc-sasl.yml

   Full output example:

   # cd /usr/share/ovirt-engine/ansible-runner-service-project/project/
    
   # echo "192.168.0.102" > hosts
    
   # sed -ri.orig '/defaults/ainterpreter_python = /usr/bin/python3' ansible.cfg
    
   # ansible-playbook --ask-pass --inventory=hosts ovirt-vnc-sasl.yml
   SSH password:
    
   PLAY [all] *********************************************************************
    
   TASK [Gathering Facts] *********************************************************
   ok: [192.168.0.102]
    
   TASK [ovirt-host-setup-vnc-sasl : Create SASL QEMU config file] ****************
   ok: [192.168.0.102]
    
   TASK [ovirt-host-setup-vnc-sasl : Use saslpasswd2 to create file with dummy user] ***
   ok: [192.168.0.102]
    
   TASK [ovirt-host-setup-vnc-sasl : Set ownership of the password db] ************
   ok: [192.168.0.102]
    
   TASK [ovirt-host-setup-vnc-sasl : Modify qemu config file - enable VNC SASL authentication] ***
   ok: [192.168.0.102]
    
   PLAY RECAP *********************************************************************
    
   192.168.0.102 : ok=5 changed=5  unreachable=0  failed=0  skipped=0  rescued=0  ignored=0

Note:

You might receive the following error message when running the ovirt-vnc-sasl.yml playbook:

ERROR! The requested handler 'populate service facts and restart libvirtd' /
was not found in either the main handlers list nor in the listening handlers list

This error is due to the auto-detected Python version being used. To fix it, add the interpreter_python option to the local ansible.cfg file and then rerun the playbook to complete all tasks.

# cd /usr/share/ovirt-engine/ansible-runner-service-project/project/
 
# sed -ri.orig '/defaults/ainterpreter_python = /usr/bin/python3' ansible.cfg