Skip to content

EFM Prerequisites #7026

New issue
New issue
Open
Open
EFM Prerequisites#7026
@Brandy-EDB

Description

@Brandy-EDB
Brandy-EDB
opened on Nov 21, 2025

Summary

Example depicts MD5 for communication between all of the nodes in the cluster.

The 5.1 release included:
Enhancement | Failover Manager was upgraded to use the Bouncy Castle cryptographic library version 2.1.1.

This version of the Bouncy Castle cryptographic library is FIPS 140-3 certified which does not support MD5.

The 4.8 release included:

Enhancement | Encryption/decryption of database password will now work in a FIPS environment.

Where did you see the problem?

https://www.enterprisedb.com/docs/efm/latest/installing/prerequisites/#modify-pg_hbaconf

Image

Expected behavior

Suggest to change to depict the ability to use secure authentication methods. Passwords should be encrypted with FIPS-compliant methods like scram-sha-256. Avoid older, non-compliant methods like md5.

# TYPE  DATABASE        USER            CIDR-ADDRESS            METHOD          [OPTIONS]

# Allow local connections (optional, adjust as needed)
host    all             all             127.0.0.1/32            scram-sha-256
host    all             all             ::1/128                 scram-sha-256

# Allow communication between cluster nodes, enforcing SSL and FIPS-compliant auth
# Replace with actual IP ranges and specific user/database names if necessary
hostssl all             all             10.0.0.0/8              scram-sha-256   clientcert=1

hostssl: Requires the connection to use SSL encryption.
clientcert=1: Optionally requires the client to present a valid SSL certificate, which can be part of a robust FIPS-compliant PKI setup for authentication.

Screenshots

No response

Browser / Platform

No response

Additional notes

Having clear guidance on what configurations should be set to run in a FIPS environment would be helpful - all together on one page.

FIPS 140-3 Configuration Questions

  1. General FIPS Compliance and Support

  • What are the official EDB requirements or prerequisites (OS, EFM version, database version) for running EFM in a FIPS 140-3-compliant setup?

  • Is there a specific FIPS mode flag or configuration parameter within EFM that needs to be enabled?

  1. Cryptography and Communication Security (SSL/TLS)

(This relates directly to the documentation section: "Configuring SSL authentication on a Failover Manager cluster")

  • Does EFM utilize the underlying operating system's FIPS 140-3 validated cryptographic module (e.g., OpenSSL FIPS mode) for all network communications (agent-to-agent, agent-to-database, and application-to-database connections)?

  • What TLS protocols (e.g., TLS 1.2, TLS 1.3) and FIPS-approved cipher suites are supported and required for secure inter-cluster communication?

  • How is key and certificate management handled securely within EFM to meet FIPS requirements for key generation, storage, and access control?

  • Are there any non-FIPS-compliant algorithms or legacy protocols that must be explicitly disabled in the EFM configuration?

  1. Database Connectivity and Replication
  • What specific PostgreSQL/EDB Postgres Advanced Server configuration settings (e.g., ssl_ciphers, ssl_cert_file) must be aligned with FIPS 140-3 standards to ensure EFM's connectivity to the primary and standby nodes is compliant?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions