Security Compliance

Confluent Platform supports the following compliance certifications.

HIPAA
Confluent is HIPAA-ready and can provide a Business Associate Agreement (BAA) in support of your protected healthcare data.
SSAE 18 SOC 2
Confluent contracts annually with qualified external audit teams to provide an industry recognized review of our security controls environment. This report is available upon request.

For more information, contact the Confluent Platform support team at support@confluent.io.

Confluent Platform FIPS operational readiness

The Federal Information Processing Standard (FIPS) is a U.S. government computer security standard (using FIPS 140-1, FIPS 140-2, and FIPS PUB 140-2) used to validate and certify software cryptographic modules.

While Confluent Platform is not FIPS-certified, it provides additional FIPS-compliant cipher enforcement at the Kafka broker level. Confluent Platform distributes a Bouncy Castle FIPS JSSE Security Provider that leverages the Bouncy Castle JSSE Provider FIPS extensions, which enables a second level of cipher enforcement at the broker level (beyond settings defined in ssl.cipher.suites), and reject non-compliant incoming and outgoing broker connections. Refer to Appendix B – Supported Cipher Suites for a complete list of supported cipher suites.

When running Confluent Platform in FIPS-enabled mode, the cryptographic use of the following technologies will run only using FIPS-compliant ciphers:

  • Brokers, consumers, and producers using FIPS JSSE provider
  • JVM using FIPS JSSE provider

Any cipher suites for TLS connections from ksqlDB, Connect, Confluent Control Center, or Schema Registry to a broker are enforced by the broker.

The Confluent CLI for Secrets protection implements encryption and key generation using a crypto library that is not FIPS-compliant. However, the decryption function is implemented in Java on the broker side, so the decryption algorithm is FIPS-compliant as long as the broker is configured in FIPS operational readiness mode.

Prerequisites

  • OS: RHEL 7.x and later.

  • Enable FIPS mode on RHEL 7.x or later.

  • Use FIPS-certified provider Bouncy Castle (BC), which provides crypto cipher suites for TLS communication and encryption/decryption service (provided as part of the distribution).

  • Run FIPs-compliant cryptographic libraries and SSL encryption over the wire for all communications, which means you must configure Confluent Platform with SSL communications for all publish/subscribe client-to-broker and component-to-broker communications. The default keystore format is JKS, which is not a standardized format and is deprecated and not supported by FIPS providers. You must either create a PKCS12 format keystore, or convert JKS to PKCS12, which is a standardized and language-neutral way of storing encrypted private keys and certificates.

    The following configuration example is not specific to FIPS or a new configuration; rather, it shows the specific use case to configure TLS so that it includes the PKCS12 keystore for TLS communication:

    ssl.keymanager.algorithm=PKIX
    ssl.trustmanager.algorithm=PKIX
    ssl.keystore.type=PKCS12
    ssl.truststore.type=PKCS12
    ssl.truststore.location=<path-to-ssl-truststore>
    ssl.truststore.password=<ssl-truststore-password>
    ssl.keystore.location=<path-to-ssl-keystore>
    ssl.keystore.password=<ssl-keystore-password>
    ssl.key.password= <ssl-key-password>
    
  • MDS provides additional FIPS-compliant cipher enforcement over HTTPS communication to and from MDS. The following example shows an MDS configuration for FIPS-compliance:

    confluent.metadata.server.ssl.keystore.type=PKCS12
    confluent.metadata.server.ssl.keymanager.algorithm=PKIX
    confluent.metadata.server.ssl.keystore.location=kafka.server.keystore.pk12
    confluent.metadata.server.ssl.keystore.password=
    confluent.metadata.server.ssl.key.password=
    

Configuring keys and certificates using PKCS12

Creating SSL Keys and Certificates provides the steps to configure a keystore and generate a certificate. When using PKCS12, the steps are the same, but the configuration is different because you must add the storetype, providerpath, and providerclass. Your configuration should resemble the following example:

keytool -keystore kafka.server.keystore.pk12 -alias localhost -validity 720 -genkeypair -keyalg RSA -keysize 2048 -storepass testfips -keypass testfips -storetype pkcs12 -providerpath /Users/fips-user/tmp/ssl/bcpkcs12/bc-fips-1.0.1.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -dname CN=localhost -ext SAN=DNS:localhost
openssl req -new -x509 -keyout ca-key -out ca-cert -days 720
keytool -keystore kafka.client.truststore.pk12 -storetype pkcs12 -alias CARoot -import -file ca-cert -providerpath /Users/fips-user/tmp/ssl/bcpkcs12/bc-fips-1.0.1.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
keytool -keystore kafka.server.truststore.pk12 -storetype pkcs12 -alias CARoot -importcert -file ca-cert -providerpath /Users/fips-user/tmp/ssl/bcpkcs12/bc-fips-1.0.1.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
keytool -keystore kafka.server.keystore.pk12 -alias localhost -storepass testfips -keypass testfips -storetype pkcs12 -certreq -file cert-file -providerpath /Users/fips-user/tmp/ssl/bcpkcs12/bc-fips-1.0.1.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 720 -CAcreateserial -passin pass:testfips
keytool -keystore kafka.server.keystore.pk12 -storetype pkcs12 -alias CARoot -import -file ca-cert -storepass testfips -providerpath /Users/fips-user/tmp/ssl/bcpkcs12/bc-fips-1.0.1.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
keytool -keystore kafka.server.keystore.pk12 -storetype pkcs12 -storepass testfips -alias localhost -import -file cert-signed -providerpath /Users/fips-user/tmp/ssl/bcpkcs12/bc-fips-1.0.1.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider

Configuring Confluent Platform for FIPS operational readiness

To configure Confluent Platform brokers, consumers, and producers for FIPS operational readiness, specify the following options in server.properties:

enable.fips=true
security.providers=io.confluent.kafka.security.fips.provider.BcFipsProviderCreator,io.confluent.kafka.security.fips.provider.BcFipsJsseProviderCreator
# Only TLS version 1.2 is supported.
ssl.enabled.protocol=TLSv1.2

The security.providers option configures Kafka brokers to use a list of JCE provider creators. The Kafka broker creates a list of security JCE providers (which at runtime take precedence over any other providers). Bouncy Castle is the only supported FIPS provider. If you do not specify Bouncy Castle, then you are responsible for providing a FIPS-compliant cipher suite and/or libraries.

If you choose not to configure cipher suites, then those values will be determined by the Bouncy Castle provider.

Important

You must enable TLS over-the-wire encryption when FIPS mode is enabled. Also, Confluent Platform will not start if the TLS version and cipher suites specified are not FIPS-compliant.

Verifing that RHEL is running in FIPS mode

Run the following command to verify that RHEL is running in FIPS operational readiness mode:

cat /proc/sys/crypto/fips_enabled
sysctl crypto.fips_enabled

Your output should resemble:

cat /proc/sys/crypto/fips_enabled
1
sysctl crypto.fips_enabled
crypto.fips_enabled = 1

You can also confirm that the Kafka broker is running in FIPS mode by viewing the broker server.log:

FIPS mode is enabled: true

If you enabled FIPS operational readiness mode, but failed to specify a valid TLS version (only version 1.2 is supported), the output is similar to the following:

[2019-10-05 17:26:18,261] ERROR FIPS 140-2 Configuration Error, invalid TLS versions: TLSv1.0 (bigcompany.kafka.security.fips.FipsValidator)
[2019-10-05 17:26:18,261] ERROR Fatal error during SupportedServerStartable startup. Prepare to shutdown (bigcompany.support.metrics.SupportedKafka)
bigcompany.kafka.security.fips.exceptions.InvalidFipsTlsVersionException: FIPS 140-2 Configuration Error, invalid TLS versions: TLSv1.0

If you enabled FIPS operational readiness mode, but specified a unsupported cipher suite, the output is similar to the following:

[2019-10-22 13:27:01,852] ERROR FIPS 140-2 Configuration Error, invalid cipher suites: TLS_DHE_DSS_WITH_AES_96_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_96_CBC_SHA (bigcompany.kafka.security.fips.FipsValidator)
[2019-10-22 13:27:01,852] ERROR Fatal error during SupportedServerStartable startup. Prepare to shutdown (bigcompany.support.metrics.SupportedKafka)
bigcompany.kafka.security.fips.exceptions.InvalidFipsTlsCipherSuiteException: FIPS 140-2 Configuration Error, invalid cipher suites: TLS_DHE_DSS_WITH_AES_96_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_96_CBC_SHA