Skip to content

SSL FIPS 140-2 deployment

Introduction

For organizations that need to deploy OpenCTI in a SSL FIPS 140-2 compliant environment, we provide FIPS compliant OpenCTI images for all components of the platform. Please note that you will also need to deploy dependencies (ElasticSearch / OpenSearch, Redis, etc.) with FIPS 140-2 SSL to have the full compliant OpenCTI technological stack.

OpenCTI SSL FIPS 140-2 compliant builds

The OpenCTI platform, workers and connectors SSL FIPS 140-2 compliant images are based on packaged Alpine Linux with OpenSSL 3 and FIPS mode enabled maintened by the Filigran engineering team.

Dependencies

AWS Native Services in FedRAMP compliant environment

It is important to remind that OpenCTI is fully compatible with AWS native services and all dependencies are available in both FedRAMP Moderate (East / West) and FedRAMP High (GovCloud) scopes.

  • Amazon OpenSearch Service (OpenSearch)
  • Amazon ElastiCache (Redis)
  • Amazon MQ (RabbitMQ)
  • Amazon Simple Storage Service (S3 bucket)

ElasticSearch / OpenSearch

ElasticSearch is known to be compatible with FIPS 140-2 SSL using the proper JVM. There is a comprehensive guide in the Elastic documentation.

Alternatively, please note that Elastic is also providing an ElasticSearch FedRAMP authorized cloud offering.

Redis

Redis does not provide FIPS 140-2 SSL compliant Docker images but supports very well custom tls-ciphersuites that can be configured to use the system FIPS 140-2 OpenSSL library.

Alternatively, you can use a Stunnel TLS endpoint to ensure encrypted communication between OpenCTI and Redis. There are a few examples available, here or here.

RabbitMQ

RabbitMQ does not provide FIPS 140-2 SSL compliant Docker images but, as Redis, supports custom cipher suites. Also, it is confirmed since RabbitMQ version 3.12.5, the associated Erlang build (> 26.1), supports FIPS mode on OpenSSL 3.

Alternatively, you can use a Stunnel TLS endpoint to ensure encrypted communication between OpenCTI and RabbitMQ.

S3 Bucket / MinIO

If you cannot use an S3 endpoint already deployed in your FIPS 140-2 SSL compliant environment, MinIO provides FIPS 140-2 SSL compliant Docker images which then are very easy to deploy within your environment.

OpenCTI stack

Platform

For the platform, we provide FIPS 140-2 SSL compliant Docker images. Just use the appropriate tag to ensure you are deploying the FIPS compliant version and follow the standard Docker deployment procedure.

Worker

For the worker, we provide FIPS 140-2 SSL compliant Docker images. Just use the appropriate tag to ensure you are deploying the FIPS compliant version and follow the standard Docker deployment procedure.

Connectors

All connectors have FIPS 140-2 SSL compliant Docker images. For each connector you need to deploy, please use the tag {version}-fips instead of {version} and follow the standard deployment procedure. An example is available on Docker Hub.