OpenShift Container Platform 3.x Overview
OpenShift Container Platform 3.x has not undergone Common Criteria certification. A future certification against the NIAP Protection Profile for Application Software is being considered.
To help Red Hat track demand for a Common Criteria certification of OpenShift Container Platform 3.x, please open a customer support case requesting an evaluation.
Federal Information Processing Standard 140-2 is a legal requirement ensuring cryptographic tools implement algorithms properly. Vendors must certify their cryptographic implementations through NIST’s Cryptographic Module Validation Program.
FIPS 140-2 validation does not constitute an entire product. Rather, underlying cryptographic subsystems or components, such as OpenSSL and OpenSSH, are validated.
When OpenShift Container Platform 3.x runs on Red Hat Enterprise Linux 7.x, the following FIPS 140-2 validations are retained:
|Red Hat Enterprise Linux 7.x||OpenSSL||5.0||#3016||ACTIVE||9/14/2022|
|Red Hat Enterprise Linux 7.x||OpenSSH Client||5.0||#3067||ACTIVE||11/26/2022|
|Red Hat Enterprise Linux 7.x||OpenSSH Server||5.0||#3063||ACTIVE||11/13/2022|
|Red Hat Enterprise Linux 7.x||Libreswan||5.0||#3083||ACTIVE||12/18/2022|
|Red Hat Enterprise Linux 7.x||GnuTLS||5.0||#3012||ACTIVE||9/7/2022|
|Red Hat Enterprise Linux 7.x||libgcrypt||5.0||#2657||ACTIVE||6/12/2021|
|Red Hat Enterprise Linux 7.x||NSS||5.0||#3070||ACTIVE||2/7/2023|
Known Issues with FIPS 140-2 Enablement
In OpenShift 3.10 and earlier, OpenShift utilized Golang-provided cryptographic libraries which have not undergone FIPS 140 validations. A potential mitigation was to use Opportunistic IPSec which encapsulates all traffic in FIPS 140-2 validated OpenSSL tunnels (meeting the requirement for encryption in transit). Note this would encapsulate all traffic internal to the OpenShift environment, and would not protect external ingress/egress of traffic to the OpenShift environment itself.
OpenShift 3.11 and later was patched to use OpenSSL libraries provided by Red Hat Enterprise Linux.
USGv6 / IPv6
OpenShift Container Platform 3.x does not have any US Government IPv6 certifications.
Section 508 / VPAT
A NIST National Checklist for OpenShift Container Platform 3.x is currently being developed. Contact your Red Hat representative for pre-release access!
To assist with risk management decisions, a listing of known OpenShift limitations against NIST 800-53 rev4 controls is provided below. Limitations are categorized as high/medium/low severity in alignment with DISA’s Vulnerability Severity Category Code Definitions:
|Severity Definition||DISA Category Code Guidelines|
|HIGH (CAT I)||Any vulnerability, the exploitation of which will directly and immediately result in loss of Confidentiality, Availability, or Integrity.|
|MEDIUM (CAT II)||Any vulnerability, the exploitation of which has a potential to result in loss of Confidentiality, Availability, or Integrity.|
|LOW (CAT III)||Any vulnerability, the existence of which degrades measures to protect against loss of Confidentiality, Availability, or Integrity.|
The following are known limitations of OpenShift 3.x’s ability to meet NIST 800-53 rev4 technical controls:
|NIST 800-53 Control||Risk Determination||Description/Rationale|
|AC-7(b)||LOW||AC-7(b) requires that, upon exceeding consecutive failed logon attempt limits, the information system delays the next logon prompt by a selected amount of time. This capability is not present in OpenShift 3.x nor is it planned. The risk of Denial of Service attacks is mitigated through network settings, such as rate limiting through firewall configuration settings. If this capability is meaningful for your deployment, please open a feature request through your Red Hat account team.|