|
| 1 | + |
| 2 | +# The SUSE Linux Enterprise 15 SP3 LTSS FIPS-140-2 container image |
| 3 | + |
| 4 | + |
| 5 | + |
| 6 | +[-Level_4-Green)](https://documentation.suse.com/sbp/server-linux/html/SBP-SLSA4/) |
| 7 | +[](https://documentation.suse.com/container/all/html/Container-guide/index.html#container-verify) |
| 8 | + |
| 9 | +## Description |
| 10 | + |
| 11 | + |
| 12 | +This SUSE Linux Enterprise 15 SP3 LTSS-based container image includes the |
| 13 | +SLES 15 FIPS-140-2 certified OpenSSL and libgcrypt modules. The image is |
| 14 | +designed to run on a FIPS-140-2 compliant SUSE Linux Enterprise Server 15 SP3 |
| 15 | +host environment. Although it is configured to enforce FIPS mode, the FIPS |
| 16 | +certification requires a host kernel in FIPS mode to be fully compliant. |
| 17 | + |
| 18 | +The [FIPS-140-2 certified OpenSSL module](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3991.pdf) |
| 19 | +is a cryptographic module that provides a FIPS-140-2 compliant |
| 20 | +cryptographic library. The module is certified by the National |
| 21 | +Institute of Standards and Technology (NIST). |
| 22 | + |
| 23 | +The FIPS-140-2 certified OpenSSL module is a drop-in replacement for the |
| 24 | +standard OpenSSL library. It provides the same functionality as the standard |
| 25 | +OpenSSL library, with additional security features to meet the FIPS-140-2 |
| 26 | +requirements. |
| 27 | + |
| 28 | +Similarly, the [FIPS-140-2 certified libgcrypt module](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3848.pdf) |
| 29 | +is a drop-in replacement for the standard libgcrypt library. It provides the |
| 30 | +same functionality as the standard libgcrypt library, with the additional |
| 31 | +security features enforced to meet FIPS-140-2 requirements. |
| 32 | + |
| 33 | + |
| 34 | +## Usage |
| 35 | +The image is configured to enforce the use of FIPS mode by default, |
| 36 | +independent of the host environment setup by specifying the following |
| 37 | +environment variables: |
| 38 | +* `OPENSSL_FIPS=1`: Initialize the OpenSSL FIPS mode |
| 39 | +* `OPENSSL_FORCE_FIPS_MODE=1`: Set FIPS mode to enforcing independent of the host kernel |
| 40 | +* `LIBGCRYPT_FORCE_FIPS_MODE=1`: Set FIPS mode in libgcrypt to enforcing |
| 41 | + |
| 42 | +Below is a list of other environment variables that can be used to configure the OpenSSL library: |
| 43 | + |
| 44 | +* `OPENSSL_ENFORCE_MODULUS_BITS=1`: Restrict the OpenSSL module to only generate |
| 45 | +the acceptable key sizes of RSA. |
| 46 | +## Accessing the container image |
| 47 | + |
| 48 | +Accessing this container image requires a valid SUSE subscription. In order |
| 49 | +to access the container image, you must login to the SUSE Registry with your credentials. |
| 50 | +There are three ways to do that which are described below. The first two methods |
| 51 | +leverage the system registration of your host system, while the third method |
| 52 | +requires you to obtain the organisation SCC mirroring credentials. |
| 53 | + |
| 54 | +### Use the system registration of your host system |
| 55 | + |
| 56 | +If the host system you are using to build or run a container is already registered with |
| 57 | +the correct subscription required for accessing the LTSS container images, you can use |
| 58 | +the registration information from the host to log in to the registry. |
| 59 | + |
| 60 | +The file `/etc/zypp/credentials.d/SCCcredentials` contains a username and a password. |
| 61 | +These credentials allow you to access any container that is available under the |
| 62 | +subscription of the respective host system. You can use these credentials to log |
| 63 | +in to SUSE Registry using the following commands |
| 64 | +(use the leading space before the echo command to avoid storing the credentials in the |
| 65 | +shell history): |
| 66 | + |
| 67 | +```ShellSession |
| 68 | +set +o history |
| 69 | + echo PASSWORD | podman login -u USERNAME --password-stdin registry.suse.com |
| 70 | +set -o history |
| 71 | +``` |
| 72 | + |
| 73 | +### Use a separate SUSE Customer Center registration code |
| 74 | + |
| 75 | +If the host system is not registered with SUSE Customer Center, you can use a valid |
| 76 | +SUSE Customer Center registration code to log in to the registry: |
| 77 | + |
| 78 | +```ShellSession |
| 79 | +set +o history |
| 80 | + echo SCC_REGISTRATION_CODE | podman login -u "regcode" --password-stdin registry.suse.com |
| 81 | +set -o history |
| 82 | +``` |
| 83 | +The user parameter in this case is the verbatim string `regcode`, and |
| 84 | +`SCC_REGISTRATION_CODE` is the actual registration code obtained from SUSE. |
| 85 | + |
| 86 | +### Use the organization mirroring credentials |
| 87 | + |
| 88 | +You can also use the organization mirroring credentials to log in to the |
| 89 | +SUSE Registry: |
| 90 | + |
| 91 | +```ShellSession |
| 92 | +set +o history |
| 93 | + echo SCC_MIRRORING_PASSWORD | podman login -u "SCC_MIRRORING_USER" --password-stdin registry.suse.com |
| 94 | +set -o history |
| 95 | +``` |
| 96 | + |
| 97 | +These credentials give you access to all subscriptions the organization owns, |
| 98 | +including those related to container images in the SUSE Registry. |
| 99 | +The credentials are highly privileged and should be preferably used for |
| 100 | +a private mirroring registry only. |
| 101 | +## Licensing |
| 102 | + |
| 103 | +`SPDX-License-Identifier: MIT` |
| 104 | + |
| 105 | +This documentation and the build recipe are licensed as MIT. |
| 106 | +The container itself contains various software components under various open source licenses listed in the associated |
| 107 | +Software Bill of Materials (SBOM). |
| 108 | + |
| 109 | +This image is based on [SUSE Linux Enterprise Server](https://www.suse.com/products/server/), a reliable, |
| 110 | +secure, and scalable server operating system built to power mission-critical workloads in physical and virtual environments. |
0 commit comments