## Updates
### Latest updates
- Expose whether KB is configured to run in FIPS mode from Core ->
Security
<img width="653" alt="Screenshot 2024-06-20 at 9 55 17 PM"
src="56a9f50f-0a05-41ca-9292-ed225b3d8062">
Consolidating all FIPS PRs into this PR
*Previous PRs were Approved
### Changes
- Config option is now experimental:
`xpack.security.experimental.fipsMode.enabled`
- Documentation has been revised
- Listed as an experimental feature
- Added keystore references for adding a password
## Summary
Closes#169738Closes#169739Closes#169740Closes#185948
FIPS is a platinum license feature.
KIbana instances must have a platinum or better license to start up in
FIPS mode, a lesser license will result in Kibana failing to start up
If the license is degraded, Kibana will still run, but an error will be
logged letting the user know that Kibana will not be able to restart.
## Config changes
This PR required the changes that were approved from [a previous
PR](https://github.com/elastic/kibana/pull/174558), since that PR
couldn't be merged into main, I merged it here.
## Testing
### Locally
In your `kibana.dev.yml` add:
`xpack.security.experimental.fipsMode.enabled: true`
To allow Kibana to start without actually providing a compliant OpenSSL
provider, in `x-pack/plugins/security/server/config.ts` change L328 from
`if (isFipsEnabled !== isNodeRunningWithFipsEnabled)` to `if (false)`
You are now configured to run in FIPS-spoof mode!
Run: `yarn es snapshot` and `yarn start` > You should see Kibana fail to
start with an error about using a basic license.
Run: `yarn es snapshot --license trial` and `yarn start` > Kibana should
start.
Login as `elastic` and navigate to Stack Management > License Management
Switch your license to `basic` and accept.
In your logs, you will see an error letting users know that you no
longer have an appropriate license and Kibana will not restart.
### For FIPS enthusiasts
Start an ES instance in a method of your choosing, but not using `yarn
es snapshot`. I like to use an 8.15.0-snapshot from the `.es/cache`
directory by running `tar -xzvf
elasticsearch-8.15.0-SNAPSHOT-darwin-aarch64.tar.gz ` and cd into the
new directory's `bin` folder to run `./elasticsearch`
Ensure you have Docker running locally.
From any command line, run: `docker run --rm -it -e
XPACK_SECURITY_FIPSMODE_ENABLED='true' -p 5601:5601/tcp
docker.elastic.co/kibana-ci/kibana-ubi-fips:8.15.0-SNAPSHOT-bc3150316ed317c08d57c6bd785ba39586072e1d`
This will start Kibana into Interactive Setup mode, copy and paste the
token from the ES startup logs.
Kibana should fail to start and you should see Kibana fail to start with
an error about using a basic license.
Repeat the above process except before you paste the token from ES, do
the following to enable a trial license on your ES instance:
In a new terminal window, navigate to your the top level of your
elasticsearch folder and run
`curl -X POST --cacert config/certs/http_ca.crt -u
elastic:YOUR_PASSWORD_HERE
"https://localhost:9200/_license/start_trial?acknowledge=true&pretty"`
You should receive a successful response.
Now paste the token from the ES startup logs into the Kibana Interactive
Setup window and Kibana should start.
Login as `elastic` and navigate to Stack Management > License Management
Switch your license to `basic` and accept.
In your logs, you will see an error letting users know that you no
longer have an appropriate license and Kibana will not restart.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: lcawl <lcawley@elastic.co>
4554b75899