CAP plugin support in a FIPS 140-2 environment

9 minute read

When installing CloudBees CI on modern cloud platforms in FIPS-mode, only FIPS 140-2 compliant CloudBees Assurance Program (CAP) plugins are also installed. Non-CAP plugins cannot be installed on a FIPS 140-2 compliant instance of CloudBees CI.

The Beekeeper Upgrade Assistant is FIPS 140-2 compliant and should be used to manage and upgrade the plugins in your FIPS 140-2 compliant CloudBees CI instance.

While most CAP plugins are FIPS 140-2 compliant there are some CAP plugins that are supported with limitations or not supported at all.

Compliant CAP plugins with caveats

The following table lists the CAP plugins that are FIPS 140-2 compliant but have caveats. The plugins may contain code or libraries that are not FIPS 140-2 compliant.

For example, a plugin may contain a dependency on a library and that library contains code that is not FIPS 140-2 compliant. If the plugin calls the non-compliant parts of the library, then the plugin is not considered FIPS 140-2 compliant. However, if the plugin does not call the non-compliant parts of the library, the plugin itself is still considered FIPS 140-2 compliant. Any script or pipeline using the plugin classes or the libraries contained in the plugin must avoid those non-compliant parts.

Table 1. FIPS 140-2 compliant plugins with caveats
Plugin name Known incompatibilities

The plugin code does not add any compliance limitations, but it does provide access to other plugins and libraries that have known limitations:

This plugin uses the pmd-core library, which defines a JDBC connection URL including credentials. The JBDC driver must be configured to use TLS.

The Ant plugin can execute any task, including the Java Task, which can be configured with arbitrary parameters. The plugin’s code runs inside the Jenkins agent’s JVM and the plugin’s code is FIPS 140-2 compliant. Refer to Configure the Apache™ Ant plugin for FIPS compliance to learn how to configure Ant within an agent.

The Ant plugin typically executes Ant builds in build.xml. Therefore, any operation executed within an Ant task may not be FIPS compliant (for example, Mail Task can define a password and an insecure URL). Verify that the tasks executed inside any ant build are FIPS compliant.

The Apache HttpComponents Client 4.x API plugin provides a shared dependency on the httpcomponents-client, httpcomponents-core, and httpcomponents-asyncclient components of the Apache HttpComponents project.

For FIPS 140-2 compliance, artifacts built upon the Apache HttpComponents Client 4.x API plugin should only use TLS 1.2 or 1.3 and FIPS-approved cyphers. When the CloudBees CI environment is in FIPS mode, do not use http URLs when including credentials in requests.

The Apache HttpComponents Client 5.x API plugin provides a shared dependency on the httpclient5 and related lower-level libraries in httpcore5.

For FIPS 140-2 compliance, plugins using the Apache HttpComponents Client 5.x API should only use TLS 1.2 or 1.3 and FIPS-approved ciphers. When the CloudBees CI environment is in FIPS mode, do not use http URLs when including credentials in requests.

This plugin is compliant when it uses TLS to cypher communications:

  • In the UI, go to Manage Jenkins  System  Artifact Management for Builds to configure the following setting:

    • Define the Use Insecure HTTP as false so the plugin cannot use insecure HTTP connections with the useHTTP parameter.

    • Optionally, define a Custom Endpoint for the S3 bucket URL. That URL will use the protocol defined by the useHTTP parameter.

The plugin also provides access to the AWS Global Configuration and Apache HttpComponents Client 4.x API plugins, so the same caveats apply.

Additionally, the plugin provides access to the Javax WS RS API or the Apache Tika Core libraries, which can only be used if SSL/TLS is properly configured and the cyphering algorithm is compliant.

This plugin has a dependency on the AWS SDK for Java - Core (aws-java-sdk-core) library which is FIPS 140-2 compliant with a caveat for the following:

  • All the credentials, keys, IDs, etc. are loaded from the location in the properties files.

This plugin has also a dependency on Apache HttpComponents Client 4.x API which is also FIPS 140-2 compliant with caveats.

This plugin is only a wrapper, and the code is FIPS 140-2 compliant. It also specifies custom endpoints for EC2. Because this plugin defaults to HTTPS, custom endpoints may use plain HTTP connections. When using this plugin with a custom endpoint, be sure to use TLS for FIPS compliance.

The Amazon Web Services SDK::EC2 plugin also provides access to the Amazon Web Services SDK::Minimal plugin and the caveats from that plugin apply to this plugin in regard to credentials stored in files.

This plugin makes use of the AWS SDK for Java - Core (aws-java-sdk-core) library, which is compliant with caveats. The plugin can read credentials from a file in the local file system and override default locations with the AWS_CREDENTIAL_PROFILES_FILE. When using a local file to store credentials, make sure the contents of the file are FIPS 140-2 compliant.

This plugin can define a custom endpoint by specifying the AWS_DEFAULT_PROFILE. This endpoint must be protected by TLS to be FIPS 140-2 compliant.

This plugin includes the Hazelcast library, which is FIPS 140-2 compliant with caveats.

The default cyphering and encryption algorithms and the default JKS keystore in the library are FIPS 140-2 compliant. However, they can be replaced with properties files. Make sure the new values are FIPS 140-2 compliant.

To authenticate the Openshift instance, use TLS or SSL. The password must be a minimum 14 characters.

To make this plugin FIPS 140-2 compliant, verify that the useHttp property on the Artifact Management for Builds section of the System configuration page is set to false.

This plugin provides the Commons Lang v3.x to other Jenkins plugins. The generation of random numbers is not cryptographically secure and is not FIPS 140-2 compliant.

This plugin provides Apache Commons Text v1.x to Jenkins plugins. The generation of random strings is not cryptographically secure and is not FIPS 140-2 compliant.

This plugin permits the inclusion of files that may contain secrets. Due to the user supplied nature of the managed configuration file, there is no guarantee that any secrets entered into the file will be FIPS 140-2 compliant. Be sure to either use credentials to store secrets or that the secret entered is FIPS 140-2 compliant.

The plugin permits the inclusion of credentials by using the credentials or ssh-credentials classes that would make the plugin FIPS 140-2 compliant.

This plugin can copy the artifact from the local disk and from a remote URL. If authentication is needed, credentials need to be included in the URL itself. If using the remote URL as the source of the artifacts, the URL must use TLS or not include any credential.

The code for this plugin is FIPS 140-2 compliant. However, it includes dependencies on the Elasticsearch Reporter Feeder plugin which needs TLS to be FIPS 140-2 compliant.

If the proxy in Jenkins is configured with credentials, the plugin needs to be protected by TLS to be FIPS 140-2 compliant. Additionally, do not configure the plugin to trust all certificates.

This plugin performs an HTTP request, including any credentials obtained from the Jenkins credential store. Therefore, it needs to be wrapped inside TLS to avoid credentials leakage and to be FIPS 140-2 compliant.

This plugin includes the Elasticsearch Reporter Configuration plugin. Therefore, the same limitations regarding TLS and trusting all certificates applies.

For authentication to an external service such as the GitLab server, use TLS. The password must be a minimum of 14 characters. Any additional external service (Jira, Hipchat, etc.) must use TLS.

For authentication to an external service such as the GitLab server, use TLS. The password must be a minimum of 14 characters.

Only the OAuth 2.0 implementation is FIPS 140-2 compliant, so always use this plugin with Oauth2 OIDC providers.

For authentication to an external service such as mail servers, use TLS or SSL. The password must be a minimum of 14 characters.

For authentication to an external service such as mail servers, use TLS or SSL. The password must be a minimum of 14 characters.

For authentication to an external URL, use TLS or SSL. The password must be a minimum of 14 characters.

It is possible to not configure a Kubernetes URL in this plugin. By doing so, the URL from the kubeconfig file is used.

When no URL is configured directly in the plugin, the URL from the config file (kubeconfig) must use TLS to be FIPS 140-2 compliant.

MapDB plugin provides a shared dependency on the MapDB library so that other plugins can cooperate when using this library. MapDB allows data serialization to a file, but the files are not secured by MapDB. Therefore, if this functionality is used in a security context, it is important to ensure a FIPS compliant security solution through other means.

For authentication, use TLS or SSL. The password must be a minimum of 14 characters.

Apache MINA SSHD is a Java library that supports SSH protocols on both the client and server sides. When in FIPS mode, only the JVM security provider should be employed. In addition, only FIPS-approved algorithms validated by NIST FIPS 140-2 can be used.

Specifically, for digital signature generation, only RSA and ECDSA algorithms shall be employed in accordance with sections 14.1.2 and 14.1.3 of the aforementioned guide.

Due to FIPS 186-5 specification which indicates DSA will no longer be approved for digital signature generation, but may be used to verify signatures generated prior to the implementation date of that standard.

This plugin contains the server side SCP (secure copy) command handler and the SCP client code. It has a dependency on Mina SSHD API::Core plugin which is FIPS 140-2 compliant with a caveat. Therefore, the same caveat applies to this plugin.

The plugin code is FIPS 140-2 compliant, however NodeJS must be version 6.0.0 or above and needs to start with --enable-fips / --force-fips.

For authentication to the remote elastic search instance, use TLS or SSL. The password must be a minimum of 14 characters.

The plugin configures a URL to download a .zip or tar.gz file containing the tool. The URL accepts the pattern http://user:passw@server:port/ which means credentials can be used without using TLS.

If credentials are used, the connection must be secured with TLS.

The code for this plugin runs inside the Jenkins agent’s JVM and is FIPS 140-2 compliant. However, the feature running Maven is only compliant if the JVM used by Maven is FIPS 140-2 compliant and all encryption used by Maven is also FIPS 140-2 compliant. To configure and use the Pipeline Maven API plugin, refer to Configure the Pipeline Maven API plugin for FIPS compliance.

This plugin’s code that runs inside the Jenkins agent’s JVM is FIPS 140-2 compliant. However, the feature running Maven is only compliant if the JVM used by Maven is FIPS 140-2 compliant and all encryption used by Maven is FIPS 140-2 compliant.

Because Maven is installed by the installer, when a private key is supplied by the user, it becomes out of scope for the CloudBees CI product.

When using an Amazon S3 compatible storage system (OpenStack Swift, EMC Atmos, etc.​), the AWS region must be FIPS 140-2 compliant. Amazon provides FIPS endpoints and only those should be used. If the default region is overriden, the endpoint must be FIPS 140-2 compliant and secured using TLS.

The plugin’s code is FIPS 140-2 compliant, but it includes the Apache Commons Net library. When using this library for authentication to an external service, use TLS or SSL. The password must be a minimum of 14 characters.

Some of the tools that this plugin confgures (such as Axivion Suite) can configure the server URL and the credentials. When CloudBees CI on modern cloud platforms is in FIPS mode, ensure that TLS URLs are used for this plugin.

In August 2020, the Jenkins project voted to replace the term master with controller. We have taken a pragmatic approach to cleaning these up, ensuring the least amount of downstream impact as possible. CloudBees is committed to ensuring a culture and environment of inclusiveness and acceptance - this includes ensuring the changes are not just cosmetic ones, but pervasive. As this change happens, please note that the term master has been replaced through the latest versions of the CloudBees documentation with controller (as in managed controller, client controller, team controller) except when still used in the UI or in code.