From 837ecdf470178047ec6eb1fc4c1a14cdab2c7a36 Mon Sep 17 00:00:00 2001 From: Rajan Patel Date: Sun, 21 Sep 2025 05:56:21 -0400 Subject: [PATCH 1/5] Clarify FIPS-compliant Landscape deployment details --- .../install-on-fips-compliant-machines.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/how-to-guides/landscape-installation-and-set-up/install-on-fips-compliant-machines.md b/docs/how-to-guides/landscape-installation-and-set-up/install-on-fips-compliant-machines.md index 8f778ad0..9fa11806 100644 --- a/docs/how-to-guides/landscape-installation-and-set-up/install-on-fips-compliant-machines.md +++ b/docs/how-to-guides/landscape-installation-and-set-up/install-on-fips-compliant-machines.md @@ -1,7 +1,7 @@ (how-to-install-fips-compliant)= # How to install on FIPS-compliant machines -This document provides the Landscape-specific steps needed for a FIPS-compliant Landscape deployment. The FIPS-compliant process is quite similar to the standard installation process. +This document provides the Landscape-specific steps needed for a FIPS-compliant Landscape deployment. The FIPS-compliant process is quite similar to the standard installation process. Single machine deployments, such as Landscape Quickstart, are not suitable for managing Ubuntu estates larger than several hundred machines when FIPS is enabled. The FIPS compliant openssl 3.0 package has a security configuration that incorporates delays, which introduces an upper bound to Landscape's ability to communicate with many machines when FIPS is enabled. When deploying Landscape with Juju, the openssl 3.0 component can be deployed in a horizontally scalable manner, removing the upper bound associated with a single machine deployment. ## Install and configure Landscape for FIPS-compliant deployments From 6d6db6ee818710cde52cea2abb0895e350c1496c Mon Sep 17 00:00:00 2001 From: Rajan Patel Date: Tue, 21 Oct 2025 21:24:39 -0400 Subject: [PATCH 2/5] Update docs/how-to-guides/landscape-installation-and-set-up/install-on-fips-compliant-machines.md Accepting Yanisa's suggestion Co-authored-by: Yanisa Haley Scherber --- .../install-on-fips-compliant-machines.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/how-to-guides/landscape-installation-and-set-up/install-on-fips-compliant-machines.md b/docs/how-to-guides/landscape-installation-and-set-up/install-on-fips-compliant-machines.md index 9fa11806..3ef89956 100644 --- a/docs/how-to-guides/landscape-installation-and-set-up/install-on-fips-compliant-machines.md +++ b/docs/how-to-guides/landscape-installation-and-set-up/install-on-fips-compliant-machines.md @@ -1,7 +1,9 @@ (how-to-install-fips-compliant)= # How to install on FIPS-compliant machines -This document provides the Landscape-specific steps needed for a FIPS-compliant Landscape deployment. The FIPS-compliant process is quite similar to the standard installation process. Single machine deployments, such as Landscape Quickstart, are not suitable for managing Ubuntu estates larger than several hundred machines when FIPS is enabled. The FIPS compliant openssl 3.0 package has a security configuration that incorporates delays, which introduces an upper bound to Landscape's ability to communicate with many machines when FIPS is enabled. When deploying Landscape with Juju, the openssl 3.0 component can be deployed in a horizontally scalable manner, removing the upper bound associated with a single machine deployment. +This document provides the Landscape-specific steps needed for a FIPS-compliant Landscape deployment. The FIPS-compliant process is quite similar to the standard installation process. + +Note that for FIPS-compliant deployments, Landscape Quickstart isn't suitable for large estates (over a few hundred machines). This is due to some performance configuration introduced by the `openssl` 3.0 package which incorporates delays. To manage a large, FIPS-compliant estate, use the Juju deployment method, which allows for horizontal scaling to overcome this limitation. ## Install and configure Landscape for FIPS-compliant deployments From a980540ac2959980c4744b97c28e81ccc616721d Mon Sep 17 00:00:00 2001 From: Rajan Patel Date: Thu, 20 Nov 2025 16:42:54 -0500 Subject: [PATCH 3/5] revise title for improved clarity --- .../install-on-fips-compliant-machines.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/how-to-guides/landscape-installation-and-set-up/install-on-fips-compliant-machines.md b/docs/how-to-guides/landscape-installation-and-set-up/install-on-fips-compliant-machines.md index 3ef89956..41fed9b8 100644 --- a/docs/how-to-guides/landscape-installation-and-set-up/install-on-fips-compliant-machines.md +++ b/docs/how-to-guides/landscape-installation-and-set-up/install-on-fips-compliant-machines.md @@ -1,5 +1,5 @@ (how-to-install-fips-compliant)= -# How to install on FIPS-compliant machines +# How to install a FIPS-compliant Landscape Server This document provides the Landscape-specific steps needed for a FIPS-compliant Landscape deployment. The FIPS-compliant process is quite similar to the standard installation process. From 60012c216479de9f09e954b4b0cf247c341436ff Mon Sep 17 00:00:00 2001 From: Rajan Patel Date: Thu, 20 Nov 2025 16:56:51 -0500 Subject: [PATCH 4/5] Update install-on-fips-compliant-machines.md add juju checklist --- .../install-on-fips-compliant-machines.md | 22 ++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/docs/how-to-guides/landscape-installation-and-set-up/install-on-fips-compliant-machines.md b/docs/how-to-guides/landscape-installation-and-set-up/install-on-fips-compliant-machines.md index 41fed9b8..3223a8b1 100644 --- a/docs/how-to-guides/landscape-installation-and-set-up/install-on-fips-compliant-machines.md +++ b/docs/how-to-guides/landscape-installation-and-set-up/install-on-fips-compliant-machines.md @@ -5,7 +5,7 @@ This document provides the Landscape-specific steps needed for a FIPS-compliant Note that for FIPS-compliant deployments, Landscape Quickstart isn't suitable for large estates (over a few hundred machines). This is due to some performance configuration introduced by the `openssl` 3.0 package which incorporates delays. To manage a large, FIPS-compliant estate, use the Juju deployment method, which allows for horizontal scaling to overcome this limitation. -## Install and configure Landscape for FIPS-compliant deployments +## The FIPS-compliant Landscape Quickstart checklist Use the {ref}`Quickstart ` or {ref}`Manual ` installation guides, with the following changes: @@ -25,6 +25,26 @@ If you're {ref}`configuring Postfix for emails `, add By default, Postfix uses MD5 hashes with the TLS for backward compatibility. In FIPS mode, the MD5 hashing function is not available. SHA-256 is a secure cryptographic hash function that can be used with FIPS. +## The FIPS-compliant Juju Landscape deployment checklist + +- Specify that FIPS should be enabled within a cloud-init.yaml file + + ```yaml + #cloud-config + ubuntu_pro: + token: + enable: + - fips-updates + ``` + +- Ensure that every new machine Juju provisions in this model will have FIPS enabled at first boot, by using this cloud-init.yaml file as the model config in Juju: + + ```bash + juju model-config --file cloudinit-userdata.yaml + ``` + +- Follow the [Juju installation steps](../juju-installation/). + ## Related topics Outside of Landscape, there are additional steps you may need when setting up your full FIPS-compliant deployment. See the following related topics: From 1e504890b5faf754b411463a463c9a7f40ba30c8 Mon Sep 17 00:00:00 2001 From: Rajan Patel Date: Thu, 20 Nov 2025 16:57:52 -0500 Subject: [PATCH 5/5] Update install-on-fips-compliant-machines.md clean mangled titles --- .../install-on-fips-compliant-machines.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/how-to-guides/landscape-installation-and-set-up/install-on-fips-compliant-machines.md b/docs/how-to-guides/landscape-installation-and-set-up/install-on-fips-compliant-machines.md index 3223a8b1..c2e3fd10 100644 --- a/docs/how-to-guides/landscape-installation-and-set-up/install-on-fips-compliant-machines.md +++ b/docs/how-to-guides/landscape-installation-and-set-up/install-on-fips-compliant-machines.md @@ -5,7 +5,7 @@ This document provides the Landscape-specific steps needed for a FIPS-compliant Note that for FIPS-compliant deployments, Landscape Quickstart isn't suitable for large estates (over a few hundred machines). This is due to some performance configuration introduced by the `openssl` 3.0 package which incorporates delays. To manage a large, FIPS-compliant estate, use the Juju deployment method, which allows for horizontal scaling to overcome this limitation. -## The FIPS-compliant Landscape Quickstart checklist +## The FIPS-compliant Landscape Quickstart deployment checklist Use the {ref}`Quickstart ` or {ref}`Manual ` installation guides, with the following changes: @@ -25,7 +25,7 @@ If you're {ref}`configuring Postfix for emails `, add By default, Postfix uses MD5 hashes with the TLS for backward compatibility. In FIPS mode, the MD5 hashing function is not available. SHA-256 is a secure cryptographic hash function that can be used with FIPS. -## The FIPS-compliant Juju Landscape deployment checklist +## The FIPS-compliant Landscape Juju deployment checklist - Specify that FIPS should be enabled within a cloud-init.yaml file