AD Integration (Server 2022) + FIPS

Howdy!

We’re going through a new site stand-up, and the local Security Folks are preferring integration with Active Directory (local domain). However, our application also requires FIPS-mode.

Our kickstart during the builds (~72 Servers) enabled FIPS, and Cockpit. However, the AD Integration in Cockpit gives error when trying to join the domain with FIPS Mode enabled.

If I disable FIPS mode via crypto policy, I can join. But I can’t go back to FIPS mode without SSH not working.

Is there a best practice for the FIPs required type folks? I can probably request a deviation for disabling EMS, but not for FIPS as a whole.

I’ve seen some mention of using:

update-crypto-policies --set FIPS:AD-SUPPORT:NO-ENFORCE-EMS

  1. Is this correct syntax for Rocky 9.4?
  2. Does this do what I think I need done?
  3. How would I engage this during install via kickstart for future installs? just add to a %post section?

Thank You!