Skip to content

Ensure BCFKS based cacert truststore is used for cloud ess fips #127716

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 6, 2025
Merged

Ensure BCFKS based cacert truststore is used for cloud ess fips #127716

merged 2 commits into from
May 6, 2025

Conversation

breskeby
Copy link
Contributor

@breskeby breskeby commented May 5, 2025

No description provided.

@breskeby breskeby requested a review from a team as a code owner May 5, 2025 14:48
@breskeby breskeby added :Delivery/Build Build or test infrastructure Team:Delivery Meta label for Delivery team auto-backport Automatically create backport pull requests when merged v8.19.0 v9.1.0 labels May 5, 2025
@breskeby breskeby self-assigned this May 5, 2025
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-delivery (Team:Delivery)

@breskeby breskeby marked this pull request as draft May 5, 2025 15:49
jakelandis
jakelandis reviewed May 5, 2025
View reviewed changes
distribution/docker/src/docker/Dockerfile.ess-fips Outdated
-srckeystore /usr/share/elasticsearch/jdk/lib/security/cacerts \
-srcstoretype PKCS12 \
-destkeystore config/cacerts.bcfks \
-deststorepass password \
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we will need a strong password, 14 chars of Ascii. Not sure if that is explicitly required for FIPS BCFKS but aligns with our custom keystore requirements.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tweaked this

tvernum
tvernum approved these changes May 6, 2025
View reviewed changes
Copy link
Contributor

@tvernum tvernum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@breskeby breskeby marked this pull request as ready for review May 6, 2025 06:22
@breskeby breskeby changed the title Ensure we use BCFKS based cacert truststore for cloud ess fips Ensure BCFKS based cacert truststore is used for cloud ess fips May 6, 2025
@breskeby breskeby merged commit aee4465 into elastic:main May 6, 2025
14 of 18 checks passed
breskeby added a commit to breskeby/elasticsearch that referenced this pull request May 6, 2025
@breskeby
Ensure BCFKS based cacert truststore is used for cloud ess fips (elas…
5c41e98 
…tic#127716)

* Ensure we use BCFKS based cacert truststore for cloud ess fips
* Make truststore default password 14 characters
@breskeby breskeby mentioned this pull request May 6, 2025
Merged
@elasticsearchmachine
Copy link
Collaborator

💚 Backport successful

Status Branch Result
8.19

breskeby added a commit that referenced this pull request May 6, 2025
@breskeby
Ensure BCFKS based cacert truststore is used for cloud ess fips (#127716
6b4f024 
) (#127737)

* Ensure we use BCFKS based cacert truststore for cloud ess fips
* Make truststore default password 14 characters
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jakelandis jakelandis jakelandis left review comments

@tvernum tvernum tvernum approved these changes

Assignees

@breskeby breskeby

Labels
auto-backport Automatically create backport pull requests when merged :Delivery/Build Build or test infrastructure >non-issue Team:Delivery Meta label for Delivery team v8.19.0 v9.1.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@breskeby @elasticsearchmachine @jakelandis @tvernum