diff --git a/base-java/Dockerfile.ubi9 b/base-java/Dockerfile.ubi9
index f554aa2004..b416fea2ce 100644
--- a/base-java/Dockerfile.ubi9
+++ b/base-java/Dockerfile.ubi9
@@ -5,6 +5,9 @@ ARG DOCKER_UPSTREAM_TAG
ARG GOLANG_VERSION
ARG UBI_MINIMAL_VERSION
ARG OPENSSL_VERSION
+ARG CRYPTO_POLICIES_SCRIPTS_VERSION
+ARG FINDUTILS_VERSION
+ARG HOSTNAME_VERSION
FROM docker.io/golang:${GOLANG_VERSION} AS build-ub-package-dedupe
RUN useradd --no-log-init --create-home --shell /bin/bash appuser
@@ -24,6 +27,10 @@ FROM registry.access.redhat.com/ubi9-minimal:${UBI_MINIMAL_VERSION} AS REFRESH
ARG OPENSSL_VERSION
ARG PROJECT_VERSION
ARG ARTIFACT_ID
+ARG CRYPTO_POLICIES_SCRIPTS_VERSION
+ARG FINDUTILS_VERSION
+ARG HOSTNAME_VERSION
+ARG TEMURIN_JDK_VERSION
# Remember where we came from
LABEL io.confluent.docker.git.repo="confluentinc/common-docker"
@@ -55,47 +62,65 @@ gpgcheck=1 \n\
gpgkey=https://adoptium.jfrog.io/artifactory/api/gpg/key/public \n\
" > /etc/yum.repos.d/adoptium.repo
-# ENV required when manually installing openssl,
-# for arm64 required binaries are present in /usr/local/lib
-# for amd64 required binaries are present in /usr/local/lib64, hence setting LD_LIBRARY_PATH accordingly
-ENV LD_LIBRARY_PATH=/usr/local/lib64:/usr/local/lib:$LD_LIBRARY_PATH
+# Install system packages first to establish baseline
+RUN microdnf --nodocs -y install yum \
+ && yum --nodocs -q update -y \
+ && microdnf install -y \
+ "crypto-policies-scripts${CRYPTO_POLICIES_SCRIPTS_VERSION}" \
+ "findutils${FINDUTILS_VERSION}" \
+ "hostname${HOSTNAME_VERSION}" \
+ "temurin-21-jre${TEMURIN_JDK_VERSION}" \
+ && yum clean all \
+ && rm /etc/yum.repos.d/adoptium.repo # Remove temurin-jdk repo to reduce intermittent build failures
# Install a FIPS-enabled version of OpenSSL. Only specific versions of OpenSSL support FIPS. Verify the supported versions at https://openssl-library.org/source/.
# Consult the security policy document for the specific OpenSSL version to ensure proper installation in a FIPS-compliant manner.
# Security document can also be found at https://openssl-library.org/source/ corresponding to every supported version of OpenSSL.
# For details on the necessary configuration changes in openssl.cnf, please refer to the documentation at: https://docs.openssl.org/3.0/man7/fips_module/#description
-RUN microdnf --nodocs -y install yum \
- && yum --nodocs -q update -y \
- && yum --nodocs -q install -y wget tar gzip make perl gcc \
+RUN yum --nodocs -q install -y wget tar gzip make perl gcc \
&& wget -q https://github.com/openssl/openssl/releases/download/openssl${OPENSSL_VERSION}/openssl${OPENSSL_VERSION}.tar.gz \
&& tar -xzf openssl${OPENSSL_VERSION}.tar.gz \
&& cd openssl${OPENSSL_VERSION} \
- && echo "installing FIPS compliant openssl" \
- && ./Configure enable-fips \
+ && echo "installing FIPS compliant openssl to /opt/openssl-fips" \
+ && ./Configure enable-fips --prefix=/opt/openssl-fips --openssldir=/opt/openssl-fips/ssl \
&& make > /dev/null 2>&1 \
&& make install > /dev/null 2>&1 \
&& echo "successfully installed FIPS compliant openssl" \
+ && echo "initializing FIPS module..." \
+ && FIPS_MODULE_PATH=$(find /opt/openssl-fips/lib* -name "fips.so" | head -1) \
+ && echo "Found FIPS module at: ${FIPS_MODULE_PATH}" \
+ && /opt/openssl-fips/bin/openssl fipsinstall -out /opt/openssl-fips/ssl/fipsmodule.cnf -module ${FIPS_MODULE_PATH} \
+ && echo "FIPS module initialized successfully" \
&& cd .. \
&& rm -rf openssl${OPENSSL_VERSION} openssl${OPENSSL_VERSION}.tar.gz \
&& yum remove -y wget tar make perl gcc glibc-gconv-extra --setopt=clean_requirements_on_remove=1 \
- && microdnf install -y \
- "crypto-policies-scripts${CRYPTO_POLICIES_SCRIPTS_VERSION}" \
- "findutils${FINDUTILS_VERSION}" \
- "hostname${HOSTNAME_VERSION}" \
- "temurin-21-jre${TEMURIN_JDK_VERSION}" \
&& yum clean all \
&& rm -rf /tmp/* \
&& mkdir -p /etc/confluent/docker /usr/logs \
&& useradd --no-log-init --create-home --shell /bin/bash appuser \
&& chown appuser:appuser -R /etc/confluent/ /usr/logs \
- && mkdir /licenses \
- && rm /etc/yum.repos.d/adoptium.repo # Remove temurin-jdk repo to reduce intermittent build failures
+ && mkdir /licenses
-# enable FIPS in docker image, this will only work if underlying OS has FIPS enabled as well else is a NO OP.
+# Enable FIPS in docker image BEFORE setting FIPS OpenSSL environment variables
+# This avoids library conflicts with system Python during crypto-policies update
RUN update-crypto-policies --set FIPS
+# ENV required when manually installing openssl,
+# for arm64 required binaries are present in /usr/local/lib
+# for amd64 required binaries are present in /usr/local/lib64, hence setting LD_LIBRARY_PATH accordingly
+# Also include the FIPS OpenSSL installation path for library discovery
+# Set AFTER crypto-policies update to avoid interfering with system Python
+ENV LD_LIBRARY_PATH=/opt/openssl-fips/lib64:/opt/openssl-fips/lib:/usr/local/lib64:/usr/local/lib:$LD_LIBRARY_PATH
+
+# Set environment for FIPS OpenSSL - ensure it's available in PATH and properly configured
+ENV FIPS_OPENSSL_PATH=/opt/openssl-fips
+ENV PATH=$FIPS_OPENSSL_PATH/bin:$PATH
+ENV OPENSSL_CONF=/opt/openssl-fips/ssl/openssl-fips.cnf
+
+# Copy FIPS configuration file
COPY license.txt /licenses
-COPY openssl-fips.cnf /usr/local/ssl/openssl-fips.cnf
+COPY openssl-fips.cnf /opt/openssl-fips/ssl/openssl-fips.cnf
+
COPY --from=build-ub-package-dedupe /build/package_dedupe/package_dedupe /usr/bin/package_dedupe
COPY --from=build-ub-package-dedupe /build/ub/ub /usr/bin/ub
diff --git a/base-java/openssl-fips.cnf b/base-java/openssl-fips.cnf
index a697595091..fd3d55e9b8 100644
--- a/base-java/openssl-fips.cnf
+++ b/base-java/openssl-fips.cnf
@@ -48,7 +48,7 @@ tsa_policy3 = 1.2.3.4.5.7
# fips provider. It contains a named section e.g. [fips_sect] which is
# referenced from the [provider_sect] below.
# Refer to the OpenSSL security policy for more information.
-.include /usr/local/ssl/fipsmodule.cnf
+.include /opt/openssl-fips/ssl/fipsmodule.cnf
[openssl_init]
providers = provider_sect
@@ -61,6 +61,10 @@ fips = fips_sect
[alg_sect]
default_properties = fips=yes
+# FIPS provider configuration - this section is referenced from [provider_sect]
+[fips_sect]
+activate = 1
+
# If no providers are activated explicitly, the default one is activated implicitly.
# See man 7 OSSL_PROVIDER-default for more details.
#
diff --git a/base/Dockerfile.ubi9 b/base/Dockerfile.ubi9
index a03962f018..db6a7f484b 100644
--- a/base/Dockerfile.ubi9
+++ b/base/Dockerfile.ubi9
@@ -63,6 +63,8 @@ ARG HOSTNAME_VERSION=""
ARG XZ_LIBS_VERSION=""
ARG GLIBC_VERSION=""
ARG CURL_VERSION=""
+ARG FINDUTILS_VERSION=""
+ARG CRYPTO_POLICIES_SCRIPTS_VERSION=""
# Temurin JDK version
ARG TEMURIN_JDK_VERSION=""
@@ -86,29 +88,9 @@ gpgkey=https://adoptium.jfrog.io/artifactory/api/gpg/key/public \n\
" > /etc/yum.repos.d/adoptium.repo
-# ENV required when manually installing openssl,
-# for arm64 required binaries are present in /usr/local/lib
-# for amd64 required binaries are present in /usr/local/lib64, hence setting LD_LIBRARY_PATH accordingly
-ENV LD_LIBRARY_PATH=/usr/local/lib64:/usr/local/lib:$LD_LIBRARY_PATH
-
-# Install a FIPS-enabled version of OpenSSL. Only specific versions of OpenSSL support FIPS. Verify the supported versions at https://openssl-library.org/source/.
-# Consult the security policy document for the specific OpenSSL version to ensure proper installation in a FIPS-compliant manner.
-# Security document can also be found at https://openssl-library.org/source/ corresponding to every supported version of OpenSSL.
-# For details on the necessary configuration changes in openssl.cnf, please refer to the documentation at: https://docs.openssl.org/3.0/man7/fips_module/#description
+# Install system packages first to establish baseline and avoid Python conflicts
RUN microdnf --nodocs -y install yum \
&& yum --nodocs -q update -y \
- && yum --nodocs -q install -y wget tar gzip make perl gcc \
- && wget -q https://github.com/openssl/openssl/releases/download/openssl${OPENSSL_VERSION}/openssl${OPENSSL_VERSION}.tar.gz \
- && tar -xzf openssl${OPENSSL_VERSION}.tar.gz \
- && cd openssl${OPENSSL_VERSION} \
- && echo "installing FIPS compliant openssl" \
- && ./Configure enable-fips \
- && make > /dev/null 2>&1 \
- && make install > /dev/null 2>&1 \
- && echo "successfully installed FIPS compliant openssl" \
- && cd .. \
- && rm -rf openssl${OPENSSL_VERSION} openssl${OPENSSL_VERSION}.tar.gz \
- && yum remove -y wget tar make perl gcc glibc-gconv-extra --setopt=clean_requirements_on_remove=1 \
&& yum --nodocs install -y --setopt=install_weak_deps=False \
git \
"wget${WGET_VERSION}" \
@@ -132,16 +114,55 @@ RUN microdnf --nodocs -y install yum \
&& python3 -m pip install --upgrade "setuptools${PYTHON_SETUPTOOLS_VERSION}" \
&& python3 -m pip install --prefer-binary --prefix=/usr/local --upgrade "${PYTHON_CONFLUENT_DOCKER_UTILS_INSTALL_SPEC}" \
&& yum remove -y git \
+ && rm /etc/yum.repos.d/adoptium.repo # Remove temurin-jdk repo to reduce intermittent build failures
+
+# Install a FIPS-enabled version of OpenSSL. Only specific versions of OpenSSL support FIPS. Verify the supported versions at https://openssl-library.org/source/.
+# Consult the security policy document for the specific OpenSSL version to ensure proper installation in a FIPS-compliant manner.
+# Security document can also be found at https://openssl-library.org/source/ corresponding to every supported version of OpenSSL.
+# For details on the necessary configuration changes in openssl.cnf, please refer to the documentation at: https://docs.openssl.org/3.0/man7/fips_module/#description
+RUN yum --nodocs -q install -y wget tar gzip make perl gcc \
+ && wget -q https://github.com/openssl/openssl/releases/download/openssl${OPENSSL_VERSION}/openssl${OPENSSL_VERSION}.tar.gz \
+ && tar -xzf openssl${OPENSSL_VERSION}.tar.gz \
+ && cd openssl${OPENSSL_VERSION} \
+ && echo "installing FIPS compliant openssl to /opt/openssl-fips" \
+ && ./Configure enable-fips --prefix=/opt/openssl-fips --openssldir=/opt/openssl-fips/ssl \
+ && make > /dev/null 2>&1 \
+ && make install > /dev/null 2>&1 \
+ && echo "successfully installed FIPS compliant openssl" \
+ && echo "initializing FIPS module..." \
+ && FIPS_MODULE_PATH=$(find /opt/openssl-fips/lib* -name "fips.so" | head -1) \
+ && echo "Found FIPS module at: ${FIPS_MODULE_PATH}" \
+ && /opt/openssl-fips/bin/openssl fipsinstall -out /opt/openssl-fips/ssl/fipsmodule.cnf -module ${FIPS_MODULE_PATH} \
+ && echo "FIPS module initialized successfully" \
+ && cd .. \
+ && rm -rf openssl${OPENSSL_VERSION} openssl${OPENSSL_VERSION}.tar.gz \
+ && yum remove -y wget tar gzip make perl gcc --setopt=clean_requirements_on_remove=1 \
&& yum clean all \
&& rm -rf /tmp/* \
&& mkdir -p /etc/confluent/docker /usr/logs \
&& useradd --no-log-init --create-home --shell /bin/bash appuser \
- && chown appuser:appuser -R /etc/confluent/ /usr/logs \
- && rm /etc/yum.repos.d/adoptium.repo # Remove temurin-jdk repo to reduce intermittent build failures
+ && chown appuser:appuser -R /etc/confluent/ /usr/logs
-# enable FIPS in docker image, this will only work if underlying OS has FIPS enabled as well else is a NO OP.
+# Enable FIPS in docker image BEFORE setting FIPS OpenSSL environment variables
+# This avoids library conflicts with system Python during crypto-policies update
RUN update-crypto-policies --set FIPS
+# ENV required when manually installing openssl,
+# for arm64 required binaries are present in /usr/local/lib
+# for amd64 required binaries are present in /usr/local/lib64, hence setting LD_LIBRARY_PATH accordingly
+# Also include the FIPS OpenSSL installation path for library discovery
+# Set AFTER crypto-policies update to avoid interfering with system Python
+ENV LD_LIBRARY_PATH=/opt/openssl-fips/lib64:/opt/openssl-fips/lib:/usr/local/lib64:/usr/local/lib:$LD_LIBRARY_PATH
+
+# Set environment for FIPS OpenSSL - ensure it's available in PATH and properly configured
+ENV FIPS_OPENSSL_PATH=/opt/openssl-fips
+ENV PATH=$FIPS_OPENSSL_PATH/bin:$PATH
+ENV OPENSSL_CONF=/opt/openssl-fips/ssl/openssl-fips.cnf
+
+# Copy FIPS configuration file
+COPY openssl-fips.cnf /opt/openssl-fips/ssl/openssl-fips.cnf
+
+
# This is a step that will cause the build to fail of the package manager detects a package update is availible and isn't installed.
# The ARG SKIP_SECURITY_UPDATE_CHECK is an "escape" hatch if you want to by-pass this check and build the container anyways, which
# is not advisable in terms of security posture. If set to false (which triggers a shell exit(1) if the check fails from the left
@@ -153,7 +174,7 @@ RUN yum check-update || "${SKIP_SECURITY_UPDATE_CHECK}"
COPY --chown=appuser:appuser target/${ARTIFACT_ID}-${PROJECT_VERSION}-package/share/doc/* /usr/share/doc/${ARTIFACT_ID}/
COPY --chown=appuser:appuser target/${ARTIFACT_ID}-${PROJECT_VERSION}-package/share/java/${ARTIFACT_ID}/* /usr/share/java/${ARTIFACT_ID}/
-COPY openssl-fips.cnf /usr/local/ssl/openssl-fips.cnf
+COPY openssl-fips.cnf /opt/openssl-fips/ssl/openssl-fips.cnf
COPY --chown=appuser:appuser include/etc/confluent/docker /etc/confluent/docker
COPY --chown=appuser:appuser include/etc/cp-base-new /etc/cp-base-new
diff --git a/base/openssl-fips.cnf b/base/openssl-fips.cnf
index a697595091..fd3d55e9b8 100644
--- a/base/openssl-fips.cnf
+++ b/base/openssl-fips.cnf
@@ -48,7 +48,7 @@ tsa_policy3 = 1.2.3.4.5.7
# fips provider. It contains a named section e.g. [fips_sect] which is
# referenced from the [provider_sect] below.
# Refer to the OpenSSL security policy for more information.
-.include /usr/local/ssl/fipsmodule.cnf
+.include /opt/openssl-fips/ssl/fipsmodule.cnf
[openssl_init]
providers = provider_sect
@@ -61,6 +61,10 @@ fips = fips_sect
[alg_sect]
default_properties = fips=yes
+# FIPS provider configuration - this section is referenced from [provider_sect]
+[fips_sect]
+activate = 1
+
# If no providers are activated explicitly, the default one is activated implicitly.
# See man 7 OSSL_PROVIDER-default for more details.
#
diff --git a/pom.xml b/pom.xml
index 1ab9b44ea3..6b30fd2303 100644
--- a/pom.xml
+++ b/pom.xml
@@ -35,27 +35,25 @@
${io.confluent.common-docker.version}-${docker.ubi9.os_type}
8.0.2
- 8.10-1755105495
- 9.6-1754345610
- 9.6-1760515502
+ 8.10-1761032271
+ 9.7-1762965531
+ 9.7-1762956380
1:3.2.2-6.el9_5.1
3.1.2
1.21.1-8.el9_4
7.92-3.el9
- 3.9.21-2.el9_6.2
- 1.34-7.el9
- 1.21.1-8.el9_4
- 7.92-3.el9
+ 3.9.23-2.el9
+ 2:1.34-7.el9
3.3.17-14.el9
1.21.1-8.el9_6
- 20210202-11.el9_6.3
+ 20210202-15.el9_7
3.23-6.el9
5.2.5-8.el9_0
- 2.34-168.el9_6.23
+ 2.34-231.el9_7.2
1:4.8.0-7.el9
- 20240828-2.git626aa59.el9_5
+ 20250905-1.git377cc42.el9_7
21.3.1-1.el9