Security Compliance in Confluent for Kubernetes

Federal Information Processing Standard (FIPS) 140-2

The Federal Information Processing Standard (FIPS) 140-2 defines the security requirements for cryptography used in the US Federal Government systems.

While Confluent Platform is not FIPS-certified, it provides FIPS-compliant cipher enforcement at the Kafka broker level. For details, see Confluent Platform FIPS 140-2.

Confluent Server (Confluent Kafka) can be configured to use FIPS-compliant ciphers on its TLS connections. This requires that all TLS enabled components of Kafka use the FIPS-compliant Java KeyStore type, Bouncy Castle. These TLS configurations include those for listeners, the MDS, Kafka REST class, and schema validation.

Bouncy Castle type keystores cannot be used to configure ZooKeeper TLS or other non-Kafka components and clients. You can use regular keystores to connect those components to the FIPS enabled Kafka listeners.

To enable FIPS-enabled Kafka, create a secret with the above keystores and truststores as described in Create FIPS-compliant keystores, and reference the secret in the Kafka custom resource (CR) as described in Configure FIPS-enabled Kafka.

Create FIPS-compliant keystores

To enable FIPS in Kafka, the following keys and files are required:

• Bouncy Castle keystore (truststore.bcfks) and truststore (truststore.bcfks)
• JKS keystore (keystore.jks) and truststore (truststore.jks) if there is a TLS connections between Kafka and ZooKeeper
• JKS password (jksPassword.txt)

The steps in this section use the commands with example use cases. Replace the file locations and other parameters in the examples with those for your environment.

1. To create Bouncy Castle type keystores, download the Bouncy Castle JAR:

   curl https://repo1.maven.org/maven2/org/bouncycastle/bc-fips/1.0.2.3/bc-fips-1.0.2.3.jar \
     -o /tmp/bc-fips-1.0.2.3.jar
   

2. Create all the keystores required for deployment.

   1. Create the certificate chain as described in Provide TLS keys and certificates in PEM format:

      cat ca.pem server.pem > server-chain.pem
      

   2. Create the Bouncy Castle truststore using the JAR you downloaded in Step #1:

      keytool -noprompt -keystore truststore.bcfks \
          -storetype BCFKS \
          -alias CARoot \
          -import -file ca.pem \
          -storepass password \
          -keypass password \
          -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
          -providerpath /tmp/bc-fips-1.0.2.3.jar
      

   3. Add the server certificate and the key into a PKCS12 file:

      openssl pkcs12 -export \
          -in server-chain.pem \
          -inkey server-key.pem \
          -out server.p12 \
          -name localhost \
          -passout pass:mykeypassword
      

   4. Create the Bouncy Castle keystore out of the PKCS12 created in the previous step:

      keytool -importkeystore \
          -srckeystore keystores/server.p12 \
          -srcstoretype pkcs12 \
          -srcstorepass mykeypassword \
          -destkeystore keystore.bcfks \
          -deststorepass password \
          -destkeypass password \
          -deststoretype BCFKS \
          -providername BCFIPS \
          -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
          -providerpath /tmp/bc-fips-1.0.2.3.jar
      

   5. Import the certificate authority (CA) into the keystore:

      keytool -noprompt -keystore keystore.bcfks \
          -storetype BCFKS \
          -alias CARoot \
          -import -file ca.pem \
          -storepass password \
          -keypass password \
          -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
          -providerpath /tmp/bc-fips-1.0.2.3.jar
      

   6. Inspect the keystore contents:

      keytool -list -keystore keystore.bcfks \
          -storepass password -v \
          -keypass password \
          -storetype BCFKS \
          -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
          -providerpath /tmp/bc-fips-1.0.2.3.jar
      

3. Because the TLS connection between Kafka and ZooKeeper cannot use Bouncy Castle keystores, you must also create a PKCS12 keystore for those connections.

   1. Create the truststore:

      keytool -noprompt -keystore truststore.jks \
          -storetype pkcs12 \
          -alias CARoot \
          -import -file ca.pem \
          -storepass password \
          -keypass password
      

   2. Create the keystore out of the PKCS12 created in the previous step:

      keytool -importkeystore \
          -srckeystore server.p12 \
          -srcstoretype pkcs12 \
          -srcstorepass mykeypassword \
          -deststoretype pkcs12 \
          -destkeystore keystore.jks \
          -deststorepass password \
          -destkeypass password
      

   3. Import the certificate authority (CA) into the keystore:

      keytool -noprompt -keystore keystore.jks \
          -alias CARoot \
          -storetype pkcs12 \
          -import -file ca.pem \
          -storepass password \
          -keypass password
      

   4. Inspect the keystore content:

      keytool -list -keystore keystore.jks \
          -storepass password -v \
          -keypass password
      

4. Create the Kubernetes secret with the keystores:

   kubectl create secret generic fips-tls \
       --from-file=keystore.bcfks=keystore.bcfks \
       --from-file=truststore.bcfks=truststore.bcfks \
       --from-file=keystore.jks=keystore.jks \
       --from-file=truststore.jks=truststore.jks \
       --from-literal=jksPassword.txt=jksPassword=password
   

Configure FIPS-enabled Kafka

To enable FIPS for Kafka, add the following settings in the Kafka custom resource (CR):

spec:
  fips:
    enabled: true      --- [1]
  tls:
    secretRef:         --- [2]

• [1] Required.
• [2] The name of the secret created in Create FIPS-compliant keystores.