How-to enable FIPS mode (Ubuntu)

Owned by Matthew Hierholzer
Last updated: Oct 31, 2024

Proceed with caution, as Checkmk does not currently support FIPS configurations.

This article is a workaround only!

LAST TESTED ON CHECKMK 2.2.0P1

Table of Contents


Step-by-step guide


FIPS mode is only available via an Ubuntu Pro subscription. A $25/yr/Desktop type subscription was used for this demonstration.

More information on attaching an Ubuntu Pro subscription can be found here:
https://ubuntu.com/server/docs/install/subscription


  1. You can use the following instructions to enable FIPS on Ubuntu systems:
    https://ubuntu.com/security/certifications/docs/fips-enablement

    Please note that the above process is not supported by Checkmk. If there is a problem enabling FIPS on Ubuntu, you will need to reach out to Ubuntu support.


    .

  2. Now reboot the system. Here you can see that FIPS mode has been activated.

    Screenshot of ubuntu booting in fips mode

    You should reboot to this prompt.

    Checking kernel image: /boot/vmlinuz-5.4.0-1007-fips
FIPS check done
done.

Welcome to Ubuntu 20.04.05 LTS!

    .

  3. Now you can register this host with the Checkmk Agent for monitoring.

    [user@ubuntuhost ~]$ sudo cmk-agent-ctl register --site mysite --hostname ubuntuhost --server 192.168.0.15
user cmkadnin
Attempting to register at 192.168.0.15:8000/mysite. Server certificate details:

PEM-encoded certificate:
-----BEGIN CERTIFICATE-
MIICBTCCAdNgAWIBAGIUaCklbywn@E@BULRn?kqEHqlVEeEWDQYJKOZIhVCNAQEL
BQAWJTEJNCEGALUEAwwaU2l0ZSAnb₩9uaXRvcmlUZycgbG9jYWwgQOEWIBCNMjIx
MDEOMDMWNDA4WhgPMZAYNTAYNTQWMZAOMDhaMBUXEZARB9NVBAMMCm1vbml0b3Jp
brcwggELMAOGCSqGSIb3DQEBAQUAA4IBDWAWg9 EKAOIBAQCtbbso58PYU42KSDNW
FZAjJKg5qiqcAYrduend2gSp]GuUWptNxJyixlBxpőkCi1tB5GQqlJaKVFNDWXn/
fQ4NTbp5EUHoWkKZxPwbVTcF5VSHelaanOywLSDGEG9SXAI9CeuvvsSGbxeRMUEW
OgAefi057749f2+L6ejsSn7ARnNxKO+LLBMGMpPd+IZ3VW7gNEYQQ/j+UYQZO2I
340k+4Zn5D12UtwOP/R7q9DEAJd6k@USonur9KőukTK+c7st92zjskcqrtUWLW9W
7BOdsSbXEBSC1hY9LFZMAWÞYKDocArVxT4mP2UEnq/MtqhCoW+GqRJK/nkFytAbf
HpWdAgMBAAGj JZALMBUGA1UdEQQOMAyCCm1vbml0b3JpbmcWDAYDVROTAQH/BAIW
ADANBgkqhkiG9WOBAQSFAAOCAQEAdkn/3+QArR+5LOvy28MIUG1IefDWX/KBZ7q/
3rF1AKovaanGfu9UQZTH2jUhZiU@c4E1oqsVs4MVofgbf7jNr/Ae6okPPOa3YS4T
NWX85nĐe2qBXdQPy6VPROSDU3P79MYHIH35vdb0+nvHQQ08s/I2MEr+KjUSOe6VC
3/5kvNuYsItspi3Gr41TiRzwFEelASv9nxnc3X8Lh+2uB1Y2fyG9y0/eleklg9+i
n₩lwBbky4dBb¥1p+9yuioyu/+vGIFotaqxoJ6GkEyk3P8Vyi/jcdItKsFUtFanqy
XCxxuPpc9/SivPr9kvWjfQTAJKga012OLbMMUZNuyGuQhogj8g==
-END CERTIFICATE--

Issued by:
	Site "mysite' local CA
Issued to:
	mysite
Validity:
	From Fri, 14 Oct 2022 03:04:08 +0000
	To   Wed, 14 Feb 3021 03:04:08 +0000

Do you want to establish this connectton? [Y/n]
>Y

Please enter password for 'cmkadmin'
> 
[user@ubuntuhost ~]$

    Successful registration after FIPS mode enabled


    Monitored host with FIPS enabled

    Screenshot of ubuntu host with fips mode enabled and Check_mk service status at OK