When installing CloudBees CI on modern cloud platforms in FIPS-mode, only FIPS 140-2 compliant CloudBees Assurance Program (CAP) plugins are also installed. Non-CAP plugins cannot be installed on a FIPS 140-2 compliant instance of CloudBees CI.
The Beekeeper Upgrade Assistant is FIPS 140-2 compliant and should be used to manage and upgrade the plugins in your FIPS 140-2 compliant CloudBees CI instance.
While most CAP plugins are FIPS 140-2 compliant there are some CAP plugins that are supported with limitations or not supported at all.
Compliant CAP plugins with caveats
The following table lists the CAP plugins that are FIPS 140-2 compliant but have caveats. The plugins may contain code or libraries that are not FIPS 140-2 compliant.
For example, a plugin may contain a dependency on a library and that library contains code that is not FIPS 140-2 compliant. If the plugin calls the non-compliant parts of the library, then the plugin is not considered FIPS 140-2 compliant. However, if the plugin does not call the non-compliant parts of the library, the plugin itself is still considered FIPS 140-2 compliant. Any script or pipeline using the plugin classes or the libraries contained in the plugin must avoid those non-compliant parts.
Plugin name | Known incompatibilities | ||
---|---|---|---|
The plugin code does not add any compliance limitations, but it does provide access to other plugins and libraries that have known limitations: This plugin uses the |
|||
The Ant plugin can execute any task, including the Java Task, which can be configured with arbitrary parameters. The plugin’s code runs inside the Jenkins agent’s JVM and the plugin’s code is FIPS 140-2 compliant. Refer to Configure the Apache™ Ant plugin for FIPS compliance to learn how to configure Ant within an agent. The Ant plugin typically executes Ant builds in |
|||
The Apache HttpComponents Client 4.x API plugin provides a shared dependency on the For FIPS 140-2 compliance, artifacts built upon the Apache HttpComponents Client 4.x API plugin should only use TLS 1.2 or 1.3 and FIPS-approved cyphers. When the CloudBees CI environment is in FIPS mode, do not use |
|||
The Apache HttpComponents Client 5.x API plugin provides a shared dependency on the For FIPS 140-2 compliance, plugins using the Apache HttpComponents Client 5.x API should only use TLS 1.2 or 1.3 and FIPS-approved ciphers. When the CloudBees CI environment is in FIPS mode, do not use |
|||
This plugin is compliant when it uses TLS to cypher communications:
The plugin also provides access to the AWS Global Configuration and Apache HttpComponents Client 4.x API plugins, so the same caveats apply. Additionally, the plugin provides access to the Javax WS RS API or the Apache Tika Core libraries, which can only be used if SSL/TLS is properly configured and the cyphering algorithm is compliant. |
|||
This plugin has a dependency on the AWS SDK for Java - Core (
This plugin has also a dependency on Apache HttpComponents Client 4.x API which is also FIPS 140-2 compliant with caveats. |
|||
This plugin is only a wrapper, and the code is FIPS 140-2 compliant. It also specifies custom endpoints for EC2. Because this plugin defaults to HTTPS, custom endpoints may use plain HTTP connections. When using this plugin with a custom endpoint, be sure to use TLS for FIPS compliance. The Amazon Web Services SDK::EC2 plugin also provides access to the Amazon Web Services SDK::Minimal plugin and the caveats from that plugin apply to this plugin in regard to credentials stored in files. |
|||
This plugin makes use of the AWS SDK for Java - Core ( |
|||
This plugin can define a custom endpoint by specifying the |
|||
This plugin includes the Hazelcast library, which is FIPS 140-2 compliant with caveats. The default cyphering and encryption algorithms and the default |
|||
To authenticate the Openshift instance, use TLS or SSL. The password must be a minimum 14 characters. |
|||
To make this plugin FIPS 140-2 compliant, verify that the |
|||
This plugin provides the Commons Lang v3.x to other Jenkins plugins. The generation of random numbers is not cryptographically secure and is not FIPS 140-2 compliant. |
|||
This plugin provides Apache Commons Text v1.x to Jenkins plugins. The generation of random strings is not cryptographically secure and is not FIPS 140-2 compliant. |
|||
This plugin permits the inclusion of files that may contain secrets. Due to the user supplied nature of the managed configuration file, there is no guarantee that any secrets entered into the file will be FIPS 140-2 compliant. Be sure to either use credentials to store secrets or that the secret entered is FIPS 140-2 compliant. The plugin permits the inclusion of credentials by using the |
|||
This plugin can copy the artifact from the local disk and from a remote URL. If authentication is needed, credentials need to be included in the URL itself. If using the remote URL as the source of the artifacts, the URL must use TLS or not include any credential. |
|||
The code for this plugin is FIPS 140-2 compliant. However, it includes dependencies on the Elasticsearch Reporter Feeder plugin which needs TLS to be FIPS 140-2 compliant. |
|||
If the proxy in Jenkins is configured with credentials, the plugin needs to be protected by TLS to be FIPS 140-2 compliant. Additionally, do not configure the plugin to trust all certificates. |
|||
This plugin performs an HTTP request, including any credentials obtained from the Jenkins credential store. Therefore, it needs to be wrapped inside TLS to avoid credentials leakage and to be FIPS 140-2 compliant. |
|||
This plugin includes the Elasticsearch Reporter Configuration plugin. Therefore, the same limitations regarding TLS and trusting all certificates applies. |
|||
For authentication to an external service such as the GitLab server, use TLS. The password must be a minimum of 14 characters. Any additional external service (Jira, Hipchat, etc.) must use TLS. |
|||
For authentication to an external service such as the GitLab server, use TLS. The password must be a minimum of 14 characters. |
|||
Only the OAuth 2.0 implementation is FIPS 140-2 compliant, so always use this plugin with Oauth2 OIDC providers. |
|||
For authentication to an external service such as mail servers, use TLS or SSL. The password must be a minimum of 14 characters. |
|||
For authentication to an external service such as mail servers, use TLS or SSL. The password must be a minimum of 14 characters. |
|||
For authentication to an external URL, use TLS or SSL. The password must be a minimum of 14 characters. |
|||
It is possible to not configure a Kubernetes URL in this plugin. By doing so, the URL from the
|
|||
MapDB plugin provides a shared dependency on the MapDB library so that other plugins can cooperate when using this library. MapDB allows data serialization to a file, but the files are not secured by MapDB. Therefore, if this functionality is used in a security context, it is important to ensure a FIPS compliant security solution through other means. |
|||
For authentication, use TLS or SSL. The password must be a minimum of 14 characters. |
|||
Apache MINA SSHD is a Java library that supports SSH protocols on both the client and server sides. When in FIPS mode, only the JVM security provider should be employed. In addition, only FIPS-approved algorithms validated by NIST FIPS 140-2 can be used. Specifically, for digital signature generation, only
|
|||
This plugin contains the server side SCP (secure copy) command handler and the SCP client code. It has a dependency on Mina SSHD API::Core plugin which is FIPS 140-2 compliant with a caveat. Therefore, the same caveat applies to this plugin. |
|||
The plugin code is FIPS 140-2 compliant, however NodeJS must be version 6.0.0 or above and needs to start with |
|||
For authentication to the remote elastic search instance, use TLS or SSL. The password must be a minimum of 14 characters. |
|||
The plugin configures a URL to download a If credentials are used, the connection must be secured with TLS. |
|||
The code for this plugin runs inside the Jenkins agent’s JVM and is FIPS 140-2 compliant. However, the feature running Maven is only compliant if the JVM used by Maven is FIPS 140-2 compliant and all encryption used by Maven is also FIPS 140-2 compliant. To configure and use the Pipeline Maven API plugin, refer to Configure the Pipeline Maven API plugin for FIPS compliance. |
|||
This plugin’s code that runs inside the Jenkins agent’s JVM is FIPS 140-2 compliant. However, the feature running Maven is only compliant if the JVM used by Maven is FIPS 140-2 compliant and all encryption used by Maven is FIPS 140-2 compliant.
|
|||
When using an Amazon S3 compatible storage system (OpenStack Swift, EMC Atmos, etc.), the AWS region must be FIPS 140-2 compliant. Amazon provides FIPS endpoints and only those should be used. If the default region is overriden, the endpoint must be FIPS 140-2 compliant and secured using TLS. |
|||
The plugin’s code is FIPS 140-2 compliant, but it includes the Apache Commons Net library. When using this library for authentication to an external service, use TLS or SSL. The password must be a minimum of 14 characters. |
|||
Some of the tools that this plugin confgures (such as Axivion Suite) can configure the server URL and the credentials. When CloudBees CI on modern cloud platforms is in FIPS mode, ensure that TLS URLs are used for this plugin. |
Unsupported CAP plugins
While most of the CAP plugins are FIPS 140-2 compliant, the following CAP plugins are not:
None of the Blue Ocean plugins are supported when CloudBees CI on modern cloud platforms is in FIPS mode. |