.. _security-compliance:

Security Compliance
===================

|cp| supports the following compliance certifications.

HIPAA
    Confluent is HIPAA-ready and can provide a Business Associate Agreement (BAA) in support of your protected healthcare data.
SSAE 18 SOC 2
    Confluent contracts annually with qualified external audit teams to provide an industry recognized review of our
    security controls environment.  This report is available upon request.  

For more information, contact the |cp| support team at `support@confluent.io <mailto:support\@confluent.io>`_.

.. _fips-operational-readiness:

Confluent Platform FIPS operational readiness
---------------------------------------------

The Federal Information Processing Standard (`FIPS <https://www.nist.gov/itl/current-fips>`_) 
is a U.S. government computer security standard (using FIPS 140-1, FIPS 140-2, and FIPS PUB 140-2) 
used to validate and certify software cryptographic modules. 

While |cp| is not FIPS-certified, it provides additional FIPS-compliant
cipher enforcement at the |ak| broker level. |cp| distributes
a Bouncy Castle FIPS JSSE Security Provider that leverages the Bouncy Castle
JSSE Provider FIPS extensions, which enables a second level of cipher enforcement at 
the broker level (beyond settings defined in ``ssl.cipher.suites``), and reject 
non-compliant incoming and outgoing broker connections. Refer to 
`Appendix B – Supported Cipher Suites <https://downloads.bouncycastle.org/fips-java/BC-FJA-(D)TLSUserGuide-1.0.9.pdf>`_ 
for a complete list of supported cipher suites. 

When running |cp| in FIPS-enabled mode, the cryptographic use of the following 
technologies will run only using FIPS-compliant ciphers:

* Brokers, consumers, and producers using FIPS JSSE provider
* JVM using FIPS JSSE provider

Any cipher suites for TLS connections from KSQL, |kconnect|, |c3|, or |sr| to a broker 
are enforced by the broker.

The Confluent CLI for :ref:`secrets` protection implements encryption and key 
generation using a crypto library that is not FIPS-compliant. However, the decryption
function is implemented in Java on the broker side, so the decryption algorithm
is FIPS-compliant as long as the broker is configured in FIPS operational 
readiness mode.

Prerequisites
^^^^^^^^^^^^^

* OS: `RHEL 7.x and later <https://www.redhat.com/en/technologies/linux-platforms/enterprise-linux>`_.
* Enable `FIPS mode on RHEL 7.x or later <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-federal_standards_and_regulations>`_. 
* Use FIPS-certified provider `Bouncy Castle (BC) version 1.0.2 <https://www.bouncycastle.org/fips-java/>`_, which provides crypto cipher suites for TLS communication and encryption/decryption 
  service (provided as part of the distribution).
* Run FIPs-compliant cryptographic libraries and SSL encryption over the wire for 
  all communications, which means you must configure |cp| with SSL communications 
  for all publish/subscribe client-to-broker and component-to-broker communications.
  The default keystore format is JKS, which is not a standardized format and is 
  deprecated and not supported by FIPS providers. The BC FIPS provider supports 
  two types of keystore formats: PKCS12 and BCFKS. However, only the BCFKS key 
  store is designed to be FIPS-compliant. You must either :ref:`create a BCFKS 
  format keystore <create-keystore-using-bcfks>`, or convert JKS or PKCS12 to BCFKS, 
  which is a standardized and language-neutral way of storing encrypted private
  keys and certificates.  
  
  The following configuration example is not specific to FIPS or a new configuration;
  rather, it shows the specific use case to configure TLS so that it includes 
  the BCFKS keystore for TLS communication:
  
  ::
  
    ssl.keymanager.algorithm=PKIX
    ssl.trustmanager.algorithm=PKIX
    ssl.keystore.type=BCFKS
    ssl.truststore.type=BCFKS
    ssl.truststore.location=<path-to-ssl-truststore>
    ssl.truststore.password=<ssl-truststore-password>
    ssl.keystore.location=<path-to-ssl-keystore>
    ssl.keystore.password=<ssl-keystore-password>
    ssl.key.password= <ssl-key-password>
    
* MDS provides additional FIPS-compliant cipher enforcement 
  over HTTPS communication to and from MDS. The following example 
  shows an MDS configuration for FIPS-compliance:

  ::
 
    confluent.metadata.server.ssl.keystore.type=BCFKS
    confluent.metadata.server.ssl.keymanager.algorithm=PKIX
    confluent.metadata.server.ssl.keystore.location=kafka.server.keystore.bcfks
    confluent.metadata.server.ssl.keystore.password=
    confluent.metadata.server.ssl.key.password=    

.. _convert-pkcs12-to-bcfks:

Converting from PKCS12 to BCFKS 
"""""""""""""""""""""""""""""""

If you are using the PKCS12 store, convert to use the BCFKS store by entering the following command:

::

   keytool -importkeystore -v -srckeystore kafka.server.keystore.pk12 -srcstoretype PKCS12 -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /Users/fips-user/tmp/ssl/bcfks/bc-fips-1.0.2.jar -destkeystore kafka.server.keystore.bcfks -deststoretype BCFKS

    
.. _create-keystore-using-bcfks:

Configuring keys and certificates using BCFKS
"""""""""""""""""""""""""""""""""""""""""""""

:ref:`generating_keys_certs` provides the steps to configure a keystore and 
generate a certificate. When using BCFKS, the steps are the same, but the 
configuration is different because you must add the ``storetype``, ``providerpath``, 
and ``providerclass``. Your configuration should resemble the following example:

::

   keytool -keystore kafka.server.keystore.bcfks -alias localhost -validity 720 -genkeypair -keyalg RSA -keysize 2048 -storepass testfips -keypass testfips -storetype BCFKS -providerpath /Users/fips-user/tmp/ssl/bcfks/bc-fips-1.0.2.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -dname CN=localhost -ext SAN=DNS:localhost
   openssl req -new -x509 -keyout ca-key -out ca-cert -days 720
   keytool -keystore kafka.client.truststore.bcfks -storetype BCFKS -alias CARoot -import -file ca-cert -providerpath /Users/fips-user/tmp/ssl/bcfks/bc-fips-1.0.2.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
   keytool -keystore kafka.server.truststore.bcfks -storetype BCFKS -alias CARoot -importcert -file ca-cert -providerpath /Users/fips-user/tmp/ssl/bcfks/bc-fips-1.0.2.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
   keytool -keystore kafka.server.keystore.bcfks -alias localhost -storepass testfips -keypass testfips -storetype BCFKS -certreq -file cert-file -providerpath /Users/fips-user/tmp/ssl/bcfks/bc-fips-1.0.2.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
   openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 720 -CAcreateserial -passin pass:testfips
   keytool -keystore kafka.server.keystore.bcfks -storetype BCFKS -alias CARoot -import -file ca-cert -storepass testfips -providerpath /Users/fips-user/tmp/ssl/bcfks/bc-fips-1.0.2.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
   cat ca-cert cert-signed > cert
   keytool -keystore kafka.server.keystore.bcfks -storetype BCFKS -storepass testfips -alias localhost -import -file cert -providerpath /Users/fips-user/tmp/ssl/bcfks/bc-fips-1.0.2.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider         

.. _configure-cp-for-fips:

Configuring |cp| for FIPS operational readiness
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

To configure |cp| brokers, consumers, and producers for FIPS operational readiness, 
specify the following options in ``server.properties``:
 
::
 
  enable.fips=true
  security.providers=io.confluent.kafka.security.fips.provider.BcFipsProviderCreator,io.confluent.kafka.security.fips.provider.BcFipsJsseProviderCreator
  # Only TLS version 1.2 is supported.
  ssl.enabled.protocol=TLSv1.2 
  
.. note::

   |cp| uses ``ssl.enabled.protocol=TLSv1.3`` by default. Do not accept the 
   default value because it is not supported for FIPS operational readiness.  

The ``security.providers`` option configures |ak| brokers to use a list of JCE 
provider creators. The |ak| broker creates a list of security JCE providers (which 
at runtime take precedence over any other providers). Bouncy Castle is the only 
supported FIPS provider. If you do not specify Bouncy Castle, then you are 
responsible for providing a FIPS-compliant cipher suite and/or libraries.

If you choose not to configure cipher suites, then those values will 
be determined by the Bouncy Castle provider. 
    
.. important::
        
    You must enable TLS over-the-wire encryption when FIPS mode is enabled. Also,
    |cp| will not start if the TLS version and cipher suites specified are not FIPS-compliant.
    
.. _verify-rhel-fips:

Verifing that RHEL is running in FIPS mode
""""""""""""""""""""""""""""""""""""""""""

Run the following command to verify that RHEL is running in FIPS operational 
readiness mode: 

::

  cat /proc/sys/crypto/fips_enabled
  sysctl crypto.fips_enabled   

Your output should resemble:

::

  cat /proc/sys/crypto/fips_enabled
  1 
  sysctl crypto.fips_enabled 
  crypto.fips_enabled = 1
  
You can also confirm that the |ak| broker is running in FIPS mode by viewing 
the broker ``server.log``:

::

  FIPS mode is enabled: true
  
If you enabled FIPS operational readiness mode, but failed to specify a valid 
TLS version (only version 1.2 is supported), the output is similar to the following:

::

   [2019-10-05 17:26:18,261] ERROR FIPS 140-2 Configuration Error, invalid TLS versions: TLSv1.0 (bigcompany.kafka.security.fips.FipsValidator)
   [2019-10-05 17:26:18,261] ERROR Fatal error during SupportedServerStartable startup. Prepare to shutdown (bigcompany.support.metrics.SupportedKafka)
   bigcompany.kafka.security.fips.exceptions.InvalidFipsTlsVersionException: FIPS 140-2 Configuration Error, invalid TLS versions: TLSv1.0  
   
If you enabled FIPS operational readiness mode, but specified a unsupported cipher 
suite, the output is similar to the following:

::

   [2019-10-22 13:27:01,852] ERROR FIPS 140-2 Configuration Error, invalid cipher suites: TLS_DHE_DSS_WITH_AES_96_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_96_CBC_SHA (bigcompany.kafka.security.fips.FipsValidator)
   [2019-10-22 13:27:01,852] ERROR Fatal error during SupportedServerStartable startup. Prepare to shutdown (bigcompany.support.metrics.SupportedKafka)
   bigcompany.kafka.security.fips.exceptions.InvalidFipsTlsCipherSuiteException: FIPS 140-2 Configuration Error, invalid cipher suites: TLS_DHE_DSS_WITH_AES_96_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_96_CBC_SHA   
   
.. _export-cert-from-keystore:

Export the public certificate from the keystore 
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 

To export the public certificate and use it for HTTPS clients (such as curl):

::

   keytool -exportcert -rfc -file kafka.server.keystore.cer -alias localhost -keystore kafka.server.keystore.bcfks -storetype bcfks -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /Users/fips-user/tmp/ssl/bcfks/bc-fips-1.0.2.jar -storepass testfips