Hi,

we are using AWS EC2 AMIs for testing.
With SLES 15 SP5 everything works fine, following command chain enables FIPS on clean AMI and everything works after reboot:

sudo registercloudguest --force-new
sudo zypper refresh
sudo zypper update -y
sudo zypper in -y -t pattern fips
sudo zypper in -y crypto-policies-scripts
sudo fips-mode-setup --enable

On SP6, after reboot, ssh no longer works. After getting ssh logs from the machine the error is:
PRNG is not seeded

I tried various ways to fix this but none of the worked (for example installing and enabling haveged)

Same error happens on all AWS available SP6 SLES AMIs.

I tried various combinations of commands https://www.suse.com/support/kb/doc/?id=000019432 but everything ended up the same unfortunately.

Any help is appreciated.

Have you seen this thread on the openSUSE Forums - https://forums.opensuse.org/t/how-to-get-fips-to-work-in-opensuse-leap-15-6/183589/7 ? openSUSE Leap 15.6 is similar to SLES15 SP6.

The solution which worked there was to install the libopenssl-3-fips-provider package.

Oh amazing, that worked — thank you very much!
I’d recommend updating the KB article to include this solution

That’s great to hear. I’ve also provided SUSE with some feedback on the TID so hopefully that will soon be updated.

Thanks for the TID feedback, Simon, I guess the recommended install should be the fips pattern, like

zypper in -t pattern fips

which takes care libopenssl-3-fips-provider and further mandatory packages get installed.
I updated the TID accordingly.
Cheers, Michael

@mkrapp
Hi,

you can see I used the “sudo zypper in -y -t pattern fips” command in my original post already, but only adding a separate installation of libopenssl-3-fips-provider fixed the issue.

@jaroslav_burian Odd. I can’t check on AWS right now, could be your image is not yet patched?
I had a look on the installation iso, there indeed the fips pattern does not contain libopenssl-3-fips-provider. This was fixed with the first update of the fips pattern in fips-20200124-150600.30.1
Could be you were still using pattern fips-20171206-12.3.1?

I can confirm that with a fresh unregistered install of minimal SLES15 SP6 in a VM the fips pattern does include libopenssl-3-fips-provider. Note I also used the Full Media1 ISO.

vbox:~ # zypper pattern-info fips
Loading repository data...
Reading installed packages...


Information for pattern fips:
-----------------------------
Repository      : sle-module-basesystem
Name            : fips
Version         : 20200124-150600.30.1
Arch            : x86_64
Vendor          : SUSE LLC <https://www.suse.com/>
Installed       : No
Visible to User : Yes
Summary         : FIPS 140-3 specific packages
Description     : 
    This pattern installs the FIPS 140-3 specific packages that complete the
    various
    cryptographic modules in use. It is required if you want to run the
    machine with "fips=1".

    Please note that this pattern only enables FIPS 140-3 compliant operation,
    it does
    not directly make the system FIPS 140-3 certified nor validated.

    Please refer to SUSE official statements on the state of FIPS 140-3
    certification.
Contents        : 
    S | Name                       | Type    | Dependency
    --+----------------------------+---------+-----------
      | dracut-fips                | package | Required
      | libopenssl-3-fips-provider | package | Required
      | openssh-fips               | package | Required
      | patterns-base-fips         | package | Required
      | strongswan-hmac            | package | Required

Its missing on AWS, I tried ALL of available AMIs in batch before (all of SLES 15 SP6 x64/arm64 AMIs), libopenssl-3-fips-provider was not included in any of these.

zypper pattern-info fips
Loading repository data...
Reading installed packages...


Information for pattern fips:
-----------------------------
Repository      : openSUSE-Leap-15.6-OSS
Name            : fips
Version         : 20200505-lp156.16.2
Arch            : x86_64
Vendor          : openSUSE
Installed       : Yes
Visible to User : Yes
Summary         : FIPS 140-3 specific packages
Description     :
    This pattern installs the FIPS 140-3 specific packages that complete the various
    cryptographic modules in use. It is required if you want to run the
    machine with "fips=1".

    Please note that this pattern only enables FIPS 140-3 compliant operation, it does
    not directly make the system FIPS 140-3 certified nor validated.

    Please refer to SUSE official statements on the state of FIPS 140-3 certification.
Contents        :
    S  | Name                  | Type    | Dependency
    ---+-----------------------+---------+-----------
    i  | dracut-fips           | package | Required
    i  | libcryptsetup12       | package | Required
       | libcryptsetup12-32bit | package | Required
    i  | libfreebl3            | package | Required
       | libfreebl3-32bit      | package | Required
    i  | libgcrypt20           | package | Required
    i  | libgnutls30           | package | Required
       | libgnutls30-32bit     | package | Required
    i  | libopenssl1_1         | package | Required
       | libopenssl1_1-32bit   | package | Required
    i  | libsoftokn3           | package | Required
       | libsoftokn3-32bit     | package | Required
    i  | openssh-fips          | package | Required
    i+ | patterns-base-fips    | package | Required
       | strongswan-hmac       | package | Required

This example is ami-094ad440cfa5d36d9
which is supposed to be “SUSE Linux Enterprise Server for SAP Applications 15 SP6”

But its using openSUSE-Leap repository by default?