DOC-479: add setup FIPS tips #1757
Conversation
✅ Deploy Preview for hardcore-allen-f5257d ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
There was a problem hiding this comment.
OK, but I suspect this could be more helpful with a little more detail.
Unless it's very basic or relating to third-party technologies, it isn't sufficient to tell users to do something, we need to tell them how. Especially when it comes to troubleshooting. Doesn't need much - might be as simple as referencing parameter names from earlier in this section.
| @@ -222,3 +222,58 @@ For the | |||
| information, e.g., `TLSv1.3`. It ensures the engine won't allow a fallback to an old, insecure version. | |||
|
|
|||
| * `validateIdentity`: Flag which allows enabling endpoint identity validation. It means, during the TLS handshake client verifies if the server's hostname (or IP address) matches the information in X.509 certificate (Subject Alternative Name extension). Possible values are `"true"` and `"false"` (default). | |||
|
|
|||
| == Troubleshooting FIPS setup | |||
There was a problem hiding this comment.
I think this would fit better in security/fips-140-2. Most users of this section won't be interested in FIPS; 100% of users of that section will be. It's already linked from the relevant config field here.
Maybe sub-headings, a bulleted list or a table would make it a bit easier to read too.
There was a problem hiding this comment.
@shultseva Where is this information best located for readers: in the advanced security/fips-140-2 section, or where it currently is in integrating Open/BoringSSL?
|
|
||
| To ensure the correct library is used, specify the platform-specific netty-tcnative jar file. For example, for aarch_64: | ||
|
|
||
| `netty-tcnative-2.0.69.Final-linux-aarch_64.jar` |
There was a problem hiding this comment.
Where do you specify this?
There was a problem hiding this comment.
I'll let @shultseva comment and, if necessary, provide more information beyond what's in the support ticket.
|
|
||
| **Resolution** | ||
|
|
||
| Switch to BCFKS for the keystore and truststore to resolve the problem. |
There was a problem hiding this comment.
I'll let @shultseva comment and, if necessary, provide more information beyond what's in the support ticket.
|
|
||
| **Resolution** | ||
|
|
||
| Try adding the export option to the Java command. One method is to include the following in your Java command to allow access to internal classes: |
There was a problem hiding this comment.
What Java command? The rest of this section is all file-based configuration.
There was a problem hiding this comment.
I'll let @shultseva comment and, if necessary, provide more information beyond what's in the support ticket.
Co-authored-by: Rob Swain <rob.swain@hazelcast.com>
Co-authored-by: Rob Swain <rob.swain@hazelcast.com>
Added FIPS setup troubleshooting tips to address support issue: https://hazelcast.atlassian.net/browse/SUP-897
See Docs ticket: DOC-479.
OlgaS kindly supplied the fix, and feedback on the supporting docs