FIPS 140-2 enabled PE
Puppet Enterprise (PE) is available in a FIPS (Federal Information Processing Standard) 140-2 enabled version. This version is compatible with select third party FIPS-compliant platforms.
To install FIPS-enabled PE, install the appropriate FIPS-enabled primary server or agent package on a Supported operating system with FIPS mode enabled. Primary and compiler nodes must be configured with sufficient available entropy for the installation process to succeed.
Changes in FIPS-enabled PE installations
- All components are built and packaged against system OpenSSL for the primary server, or against OpenSSL built in FIPS mode for agents.
- All use of MD5 hashes for security has been eliminated and replaced.
- Forge and module tooling use SHA-256 hashes to verify the identity of modules.
- Proper random number generation devices are used on all platforms.
- All Java and Clojure components use FIPS Bouncy Castle encryption providers on FIPS-compliant platforms.
Limitations and cautions for FIPS-enabled PE installations
A FIPS-enabled primary server supports only FIPS-enabled agents. Non-FIPS agents are not compatible with FIPS-enabled PE.
A Non-FIPS primary server supports both non-FIPS agents and FIPS-enabled agents.
- Migrating from non-FIPS versions of PE to FIPS-enabled PE requires reinstalling on a supported platform with FIPS mode enabled.
- FIPS-enabled PE installations don't support extensions
or modules that use the standard Ruby Open SSL library,
such as hiera-eyaml. As a workaround, you can use a non-FIPS-enabled primary server with
FIPS-enabled agents, which limits the issue to situations where only the primary uses
the Ruby library. This limitation does not apply to
versions 1.1.0 and later of the
splunk_hecmodule, which supports FIPS-enabled servers. The FIPS Mode section of the module's Forge page explains the limitations of running this module in a FIPS environment.