Last changed
Get notified of upcoming product changes, critical vulnerability notifications and patches and more.
Sign InA Wolfi-based image tailored for ZooKeeper, incorporating the required bouncycastle FIPS modules (bcfips) to facilitate ZooKeeper's operation in FIPS mode.
Both OpenJDK and ZooKeeper have been configured to harness the BouncyCastle FIPS API at their core. The included bcfips module meets FIPS 140-2 compliance requirements and is accredited under: FIPS certificate 4616.
If SASL authentication is enabled, Zookeeper will default to using DIGEST-MD5 which is not FIPS compliant. Instead, configure Zookeeper to use mTLS, or GSSAPI and Kerberos for authentication. Note that the Kerberos KDC server will need to be configured to run with FIPS approved algorithms.
This image is equipped with the essential components for ZooKeeper to operate in FIPS mode. However, it's important for users to ensure they use it in line with FIPS compliance standards.
This includes tasks such as KeyStore generation, configuration, and launching ZooKeeper with the correct configuration parameters. More guidance is provided in the sections below.
ZooKeeper requires a bcfips-compatible KeyStore to manage its SSL/TLS certificates.
Although ZooKeeper supports various KeyStore types, only BCKFS offers the capability to operate in approved (strict) mode under FIPS standards, ensuring only approved ciphers are used.
Refer to the official documentation for information on how to create and configure a KeyStore.
Note: The KeyStore needs to be generated on a seperate image, as the keytool
application will not operate when bcfips is running in approved mode. keytool
is hard coded to pass a new SecureRandom()
, which will always fail the approved RNG test. However, the generated KeyStore will use FIPS compliant ciphers and will operate correctly in a FIPS enabled environment.
Below is an example, using a wolfi-base container to generate a bckfs KeyStore:
To deploy ZooKeeper FIPS using Helm, open a terminal and run the following command:
For additional configuration options provided in the chart, please see Bitnami's documentation here.
The KeyStore will need to be passed through as a volume (via extraVolumes
),
and TLS will need to be configured to match your environment.
Alternatively, ZooKeeper FIPS can be deployed with Docker. Create a config file for ZooKeeper:
This uses a standard ZooKeeper configuration with the default KeyStore format
set to BCFKS. In this example, we've set the path for the KeyStore to
/usr/share/java/zookeeper/conf/server.keystore
.
Run it with Docker:
Where <YOUR PORT>
is the port on the host you'd like to forward to.
Note that if you've configured a secure port for ZooKeeper FIPS, you'll forward that instead of the standard port.
ZooKeeper will likely need additional configuration depending on your environment. For more resources, please see ZooKeeper's admin guide.
ZooKeeper itself does not provide any verbosity on systems running in FIPS mode. However, when ZooKeeper starts the BC FIPS libraries should be visible.
You can check bcfips is enforcing minimum password lengths, by running
the container with a non-compliant ZooKeeper KeyStore password, such
as 1234
:
Error Message:
Solution: The error indicates that a KeyStore was detected, but there was an issue parsing it. Usually this means that the password used to create the KeyStore does not match what was provided to ZooKeeper.
Error Message:
Solution:
This is expected whenever ZooKeeper is running in strict
(approved) mode for
FIPS. Choose a KeyStore password which is compliant.
Chainguard Images contain software packages that are direct or transitive dependencies. The following licenses were found in the "latest" version of this image:
Apache-2.0
BSD-3-Clause
CC-PDDC
FTL
GPL-2.0-only
GPL-2.0-or-later
GPL-3.0-or-later
For a complete list of licenses, please refer to this Image's SBOM.
Software license agreementThis is a FIPS validated image for FedRAMP compliance.
This image is STIG hardened and scanned against the DISA General Purpose Operating System SRG with reports available.
Learn more about STIGsGet started with STIGs