Howdy!
We’re going through a new site stand-up, and the local Security Folks are preferring integration with Active Directory (local domain). However, our application also requires FIPS-mode.
Our kickstart during the builds (~72 Servers) enabled FIPS, and Cockpit. However, the AD Integration in Cockpit gives error when trying to join the domain with FIPS Mode enabled.
If I disable FIPS mode via crypto policy, I can join. But I can’t go back to FIPS mode without SSH not working.
Is there a best practice for the FIPs required type folks? I can probably request a deviation for disabling EMS, but not for FIPS as a whole.
I’ve seen some mention of using:
update-crypto-policies --set FIPS:AD-SUPPORT:NO-ENFORCE-EMS
- Is this correct syntax for Rocky 9.4?
- Does this do what I think I need done?
- How would I engage this during install via kickstart for future installs? just add to a %post section?
Thank You!