Postgres in FIPS

On Tue, Jan 11, 2011 at 4:03 PM, M Sabin <postgres@sabes.net> wrote:

Hello,

My organization is in the process of getting a FIPS certification.  I was
wondering if anyone who has experience with getting their application FIPS
certified using postgres.  I have read a little bit about this and saw that
you need to compile postgres manually using a FIPS capable version of
openssl.

However, I would like to know how you handled the startup self test of
postgres and how you handled errors in the crypto module.

I have started investigating compiling postgres using openssl-fips.
However, I run into issues when I try to run the make scripts using the
fipsld linker.

The error I get is:
fipsld -O2 -Wall -Wmissing-prototypes -Wpointer-arith
-Wdeclaration-after-statement -Wendif-labels -fno-strict-aliasing -fwrapv
-DDEF_PGPORT=5432 -I../../../src
/interfaces/libpq -I../../../src/include -D_GNU_SOURCE
-I/usr/local/ssl/fips/include -I/usr/local/include  -c -o pg_ctl.o pg_ctl.c
fipsld -O2 -Wall -Wmissing-prototypes -Wpointer-arith
-Wdeclaration-after-statement -Wendif-labels -fno-strict-aliasing -fwrapv
pg_ctl.o  -L../../../src/port -l                          pgport
-L../../../src/interfaces/libpq -lpq -L../../../src/port
-L/usr/local/ssl
/fips/lib -L/usr/local/lib -Wl,--as-needed -Wl,-rpath,'/usr/local/pgsql/lib'
-lpgport -lssl -lcrypto -lcrypt -ldl -lm  -o pg_ctl
./pg_ctl: error while loading shared libraries: libpq.so.5: cannot open
shared object file: No such file or directory

Just as a FYI, I am running configure and make in the following manner:

./configure --with-includes=/usr/local/ssl/fips/include:/usr/local/include
--with-libraries=/usr/local/ssl/fips/lib:/usr/local/lib --enable-shared
-with-openssl --without-readline --without-zlib

make CC=fipsld FIPSLD_CC=gcc

Thanks for any help

wrote:

Something to think about here....does your database actually require
encryption? Or is the encryption handled between remote user and
application?
If your database is shared locally on the same server as your
application, then you shouldn't need FIPS encryption since the
communication between database and application never leaves the
system.
Unless you have really strict application requirements.

Ken

On Tue, Jan 11, 2011 at 4:03 PM, M Sabin <postgres@sabes.net> wrote:

Hello,

My organization is in the process of getting a FIPS certification. I was
wondering if anyone who has experience with getting their application

FIPS

certified using postgres. I have read a little bit about this and saw

that

you need to compile postgres manually using a FIPS capable version of
openssl.

However, I would like to know how you handled the startup self test of
postgres and how you handled errors in the crypto module.

I have started investigating compiling postgres using openssl-fips.
However, I run into issues when I try to run the make scripts using the
fipsld linker.

The error I get is:
fipsld -O2 -Wall -Wmissing-prototypes -Wpointer-arith
-Wdeclaration-after-statement -Wendif-labels -fno-strict-aliasing -fwrapv
-DDEF_PGPORT=5432 -I../../../src
/interfaces/libpq -I../../../src/include -D_GNU_SOURCE
-I/usr/local/ssl/fips/include -I/usr/local/include -c -o pg_ctl.o

pg_ctl.c

fipsld -O2 -Wall -Wmissing-prototypes -Wpointer-arith
-Wdeclaration-after-statement -Wendif-labels -fno-strict-aliasing -fwrapv
pg_ctl.o -L../../../src/port -l pgport
-L../../../src/interfaces/libpq -lpq -L../../../src/port
-L/usr/local/ssl
/fips/lib -L/usr/local/lib -Wl,--as-needed

-Wl,-rpath,'/usr/local/pgsql/lib'

-lpgport -lssl -lcrypto -lcrypt -ldl -lm -o pg_ctl
./pg_ctl: error while loading shared libraries: libpq.so.5: cannot open
shared object file: No such file or directory

Just as a FYI, I am running configure and make in the following manner:

./configure

--with-includes=/usr/local/ssl/fips/include:/usr/local/include

--with-libraries=/usr/local/ssl/fips/lib:/usr/local/lib --enable-shared
-with-openssl --without-readline --without-zlib

make CC=fipsld FIPSLD_CC=gcc

Thanks for any help