EDR: Errors After Enabling EDR FIPS Mode on RHEL/CentOS 8.9
search cancel

EDR: Errors After Enabling EDR FIPS Mode on RHEL/CentOS 8.9

book

Article ID: 287615

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

After adding the several settings to enable FIPs on RHEL 8.9, the following errors appear:
/var/log/cb/datastore/debug.log:  
Exception in cache update task
redis.clients.jedis.exceptions.JedisConnectionException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

  /var/log/cb/redis/redis.log:  
Error accepting a client connection: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown

Environment

  • EDR Server: 7.8.0
  • RHEL/CentOS:  8.9 

Cause

  • According to the EDR Cluster Management Guide 7.8.0,  "Carbon Black EDR Server 7.8.0 in FIPS mode is officially supported on RHEL 8.2, 8.6, 8.7, and 8.8."

Resolution

 
  • OS FIPS plus EDR FIPS mode are supported on RHEL 8.2, 8.6, 8.7, and 8.8.
  • EDR 7.8.0 can be successfully installed on RHEL 8.9 (with or without OS FIPS enabled).  Only the EDR 7.8.0 FIPS mode cannot be enabled on RHEL 8.9.
  • The complete fix for EDR FIPS mode on RHEL 8.9 is expected in EDR 7.9.0 with an estimated release timeframe of 2024 fourth quarter.  

Additional Information

  • RHEL 8.8 was released in May 2023 and EDR FIPS was tested and approved.  RHEL 8.9 was released Nov 2023 and the development and testing are ongoing as of Mar 2024.
Powered by Wolken Software