Is Red Hat build of Apache Camel 4 compliant with FIPS?

Solution Verified - Updated

Environment

  • Red Hat build of Apache Camel 4.x
  • Red Hat OpenShift Container Platform (RHOCP) 4.x
  • Red Hat Enterprise Linux (RHEL)
  • Federal Information Processing Standards (FIPS)

Issue

  • Is Camel 4 compliant with FIPS?
  • Has Red Hat build of Apache Camel 4 been FIPS certified (validated) by NIST?
  • Can Red Hat build of Apache Camel 4 be run on FIPS enabled OpenJDK / RHEL?

Resolution

Important: No version of Red Hat build of Apache Camel 4.x is FIPS validated! Red Hat build of Apache Camel 4.x has not undergone official FIPS certification (validation) and does not aim to do so. It did not complete the NIST CMVP process to receive a certificate from NIST.

Red Hat build of Apache Camel is not fully designed for FIPS because some Camel components may register security providers that are not FIPS validated, like bouncycastle.

However, Red Hat supports running Red Hat build of Apache Camel 4.x on FIPS enabled OpenJDK / RHEL / OpenShift.
We have validated that running Red Hat build of Apache Camel 4.x on a FIPS enabled OpenJDK /RHEL / OpenShift does not break any Camel component nor the Camel runtime. Camel functions the same way as when running on a non-FIPS enabled and supported JDK. See the Red Hat build of Apache Camel supported configurations page for the specific Java versions supported.

For more details on Red Hat Enterprise Linux and its cryptographic modules see Compliance activities and government standards

Camel Components designed for FIPS

All supported Camel components (except those listed below) and the Camel core runtime are designed for FIPS.
That means they can be configured to use FIPS validated cryptographic modules.

Note: Natively compiled Camel Quarkus applications are not designed for FIPS. Quarkus does currently not support running native applications on FIPS enabled RHEL.

The supported modules of CXF for Quarkus and Spring Boot are also designed for FIPS from our Camel 4.8 release onwards. More specifically WS-Security in CXF can be configured to only use FIPS validated cryptography. See the Content from docs.quarkiverse.io is not included.release notes.

Camel Components not designed for FIPS

The list of Camel components below may register and use security providers and cryptographic modules that are not FIPS validated. Whoever, these components won't break the application when being run in a FIPS enabled environment, they will function correctly.

  • camel-ftp
  • camel-kafka - ONLY IF used for SASL/SCRAM auth
  • camel-smb
  • camel-ssh

Starting from Camel 4.8 camel-cxf-soap and camel-crypto are now also designed for FIPS, i.e. they use FIPS validated cryptographic modules.

Diagnostic Steps

See KCS Running OpenJDK in FIPS mode on RHEL for more details on how to enable FIPS on RHEL.

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.