SlideShare a Scribd company logo
1 of 52
Download to read offline
A294
Node.js – FIPS 140-2 support in
Node.js
Michael Dawson, IBM Runtime Technologies
© 2016 IBM Corporation 2
About Michael Dawson
Senior Software Developer @ IBM
IBM Runtime Technologies Node.js Technical Lead
Node.js collaborator and CTC member
Active in LTS, build, benchmarking , api
and post-mortem working groups
Contact me:
michael_dawson@ca.ibm.com
Twitter: @mhdawson1
https://www.linkedin.com/in/michael-dawson-6051282
© 2016 IBM Corporation 3
Agenda
• Node.js quick intro
• FIPS 140-2 intro
• OpenSSL integration
• Community History
• Command Line Options
• Gotchas – What to look out for
• Bluemix Example
• Express Example
© 2016 IBM Corporation 4
Node.js – Quick Intro
© 2016 IBM Corporation 5
Node.js – Quick Intro
• JavaScript != Java
• Node.js = Server-side JavaScript
• Event-oriented
• Non-blocking
• Asynchronous
• Uses OpenSSL as cryptographic library
http://www.modulecounts.com/
© 2016 IBM Corporation
• There is a module for that
• 300K modules
• #1 on module counts
• #1 on Github (#projects)
• #1 on StackOverflow(2015)
Node.js – Quick Intro
6
© 2016 IBM Corporation
• Most used runtime in
Bluemix
TM
Node.js – Quick Intro
7
© 2016 IBM Corporation
V8 – Javascript
Engine
V8
JavaScript Engine Libuv
Other
Dependencies
ICU
Cares
Zlib
http_parser
…
Node Binding Layer
Operating System
Node Libraries
Modules (npm or local) + Application
OpenSSL
Node.js – Quick Intro
8
© 2016 IBM Corporation
9
Node.js – crypto APIs
https://nodejs.org/api/crypto.html
• Certificate
• Cipher
• Decipher
• DiffieHellman
• ECDH
• Hash
• HMAC
• Sign
• Verify
© 2016 IBM Corporation
10
Node.js – HTTPS
https://nodejs.org/api/https.html
• HTTPS
© 2016 IBM Corporation 11
Node.js – HTTPS Example
© 2016 IBM Corporation 12
FIPS Intro
© 2016 IBM Corporation 13
FIPS Intro – Why
• Cryptography is an important Tool
• Provides a way to evaluate modules
• May be contract requirements !
© 2016 IBM Corporation 14
• Federal Information Processing Standard (FIPS) –
Publication 140-2
Security Requirements for Cryptographic Modules
• US government security standard
• Co-developed with Canadian Communications
Security Establishment (CSE)
• Independent labs do evaluation
http://csrc.nist.gov/groups/STM/cmvp/standards.html
FIPS Intro
© 2016 IBM Corporation 15
1. Cryptographic Module Specification
2. Cryptographic Module Ports and Interfaces
3. Roles, Services, and Authentication
4. Finite State Model
5. Physical Security
6. Operational Environment
7. Cryptographic Key Management
8. Electromagnetic Interference/Electromagnetic Compatibility (EMI/EMC)
9. Self Tests
10.Design Assurance
11.Mitigation of Other Attack
FIPS Intro – Evaluation Areas
© 2016 IBM Corporation 16
FIPS Intro - Levels
• 4 Levels
• Level 1
• 1+ approved algorithms
• Level 2
• Tamper evidence
• Level 3
• Zeroization
• Level 4
• Response to all tamper attempts
Software Generally limited
To Level 1 !
© 2016 IBM Corporation 17
FIPS Intro
• Approved Security Functions
http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf
• AES, Triple-DES
• DSS, DSA, RSA and ECDSA
• SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-
512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128,
SHAKE256
No MD5 !
© 2016 IBM Corporation
18
Node.js – HTTPS
https://nodejs.org/api/https.html
• HTTPS
• Additional constraints
may apply – ex:
• https://wiki.openssl.
org/index.php/FIPS_
mode_and_TLS
• --tls-cipher-list
© 2016 IBM Corporation 19
FIPS Intro – Europe ?
• Common Criteria
• EAL 1 through 7
• Different profiles
• FIPS still used/potentially accepted
• Higher availability
• Recommendations for TSPs -
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=7&ved=0ahUKEwjm-
oqC0bXPAhUJ4SYKHf3wDV4QFghGMAY&url=https%3A%2F%2Fwww.enisa.europa.eu%2Fpublications%2F
tsp1-framework%2Fat_download%2FfullReport&usg=AFQjCNGe0RewmuzZL4AWyDmy00o-
T0TLfA&sig2=EPdoyDyU6rA93SIBuuDEmw&cad=rja
OpenSSL Integration
© 2016 IBM Corporation 20
OpenSSL Integration
© 2016 IBM Corporation
• Node.js Leverages
OpenSSL certifications
• FIPs on for Linux so far
• https://www.openssl.org/
21
© 2016 IBM Corporation 22
OpenSSL Integration - Certifcation
• http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-
all.htm#1747
© 2016 IBM Corporation 23
OpenSSL Integration – Security Guide
• Security Policy (36 pages)
• https://www.openssl.org/docs/fips/SecurityPolicy-2.0.9.pdf
• User Guide (221 pages)
• https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
• Trusted Path Requirement
• User Affirmation
© 2016 IBM Corporation 24
OpenSSL Integration
fipscanister.o
OpenSSL/
libcrypto.a
$(OPENSSLDIR)/fips/fipsld –o ….
If (FIPS_mode_set(1)) {
…
} else {
// indicate error
}
© 2016 IBM Corporation 25
Building
• https://github.com/n
odejs/node/blob/ma
ster/BUILDING.md
• Must follow to the
letter
© 2016 IBM Corporation 26
OpenSSL Integration – Application
• Just using FIPS capable Node.js is not enough
• You have to use correctly (ex TLS example)
• Demonstrate to ‘customer’ you did the right thing
• It is, however, an enabler
© 2016 IBM Corporation 27
Community History
© 2016 IBM Corporation 28
Community History
• May 2015 – discussion starts
• https://github.com/nodejs/node-v0.x-archive/issues/25463
• Jun 2015 – PR 1890
© 2016 IBM Corporation 29
Community History
• Nov 2015 – Issue 3760
• PRs 3752, 3753, 3754,
3755, 3756, 3757, 3758,3759
• Added to community CI
© 2016 IBM Corporation 30
Community History
• Dec 2015 – NPM cleanup
• Feb 2016 – Command Line Improvement
© 2016 IBM Corporation 31
API and runtime options (v6.x)
© 2016 IBM Corporation 32
API and runtime options (v6.x)
• Command Line:
• --enable-fips
• --force-fips
• API
• -crypto.fips
• OpenSSL Config file
[ evp_sect ]
# Set to "yes" to enter FIPS mode if supported
fips_mode = yes
© 2016 IBM Corporation 33
API and runtime options (v6.x)
• Force prevents
change
© 2016 IBM Corporation 34
API and runtime options (v6.x)
• You need to be
state aware
• Error if already
enabled
© 2016 IBM Corporation 35
Validating you have right version
© 2016 IBM Corporation
36
Gotchas
© 2016 IBM Corporation
37
Gotchas
• Existing code may no longer run
© 2016 IBM Corporation
OPENSSL_FIPS=1 openssl req -x509 -newkey rsa:2048 -keyout httpd.key.pem -
out httpd.crt.pem -days XXX
• Certificates and keys
• Generation
• Only use FIPs algorithms
• Generate with FIPs module
© 2016 IBM Corporation
38
Gotchas
const options = {
key: fs.readFileSync('key.pem'),
cert: fs.readFileSync('cert.pem')
};
Bluemix Example
© 2016 IBM Corporation
39
cf set-env
FIPS_MODE true
Try it on
out on
Bluemix
Express Example
© 2016 IBM Corporation
44
Express Example
© 2016 IBM Corporation
45
Express Example
© 2016 IBM Corporation
46
© 2016 IBM Corporation 47
Summary
• Node.js quick intro
• FIPS 140-2 intro
• OpenSSL integration
• Community History
• Command Line Options
• Gotchas – What to look out for
• Bluemix Example
• Express Example
Michael Dawson
Thank you very much.
IBM
Runtime Technologies
michael_dawson@ca.ibm.com
© 2016 IBM Corporation 48
© 2016 IBM Corporation 49
Your feedback is valuable
Please complete your session or lab evaluation!
Session number [A294]
Provide your evaluations by:
Evaluation forms:
Fill out a form at the end of each session
Paper forms are located in each of the
session or lab rooms
Complete the session survey on Event
Connect Portal:
https://portal.ibmeventconnect.com/ma
drid2016
Select Sessions, then Session Finder, and
complete the survey
- Or -
IBMTA16
Twitter
@IBMCloud | @IBMWebSphere
LinkedIn
IBM Cloud
YouTube
IBM Cloud | IBM WebSphere
Facebook
IBM Cloud
ibmcloud
Facebook Event Page
IBM Techical Academy 2016
websphere
Copyright © 2016 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission
from IBM.
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.
Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial
publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED
"AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS
INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and
services are warranted according to the terms and conditions of the agreements under which they are provided.
Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice.
Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers
have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary.
References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in
which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and
discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their
specific situation.
It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and
interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such
laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not
tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the
ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual
property right.
• IBM, the IBM logo, ibm.com, Aspera®, Bluemix, Blueworks Live, CICS, Clearcase, Cognos®, DOORS®, Emptoris®, Enterprise Document Management System™,
FASP®, FileNet®, Global Business Services ®, Global Technology Services ®, IBM ExperienceOne™, IBM SmartCloud®, IBM Social Business®, Information on Demand,
ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®,
PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, Smarter Commerce®, SoDA, SPSS, Sterling Commerce®,
StoredIQ, Tealeaf®, Tivoli®, Trusteer®, Unica®, urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of International
Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current
list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.
• Node.js is an official trademark of Joyent. IBM SDK for Node.js is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
• Java, JavaScript and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
• npm is a trademark of npm, Inc.

More Related Content

What's hot

Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldDenim Group
 
Zimbra versus exchange 2010 presentation
Zimbra versus exchange 2010 presentationZimbra versus exchange 2010 presentation
Zimbra versus exchange 2010 presentationsolarisyourep
 
Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb AppsDenim Group
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramDenim Group
 
VMworld Europe 2014: Preview the Latest Release from AirWatch
VMworld Europe 2014: Preview the Latest Release from AirWatchVMworld Europe 2014: Preview the Latest Release from AirWatch
VMworld Europe 2014: Preview the Latest Release from AirWatchVMworld
 
VA_InterConnect2017
VA_InterConnect2017VA_InterConnect2017
VA_InterConnect2017Canturk Isci
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
DEVNET-1121 Customizing Cisco Video Access for Guests
DEVNET-1121	Customizing Cisco Video Access for GuestsDEVNET-1121	Customizing Cisco Video Access for Guests
DEVNET-1121 Customizing Cisco Video Access for GuestsCisco DevNet
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsDenim Group
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCDenim Group
 
Deploy, Monitor and Manage in Style with WebSphere Liberty Admin Center
Deploy, Monitor and Manage in Style with WebSphere Liberty Admin CenterDeploy, Monitor and Manage in Style with WebSphere Liberty Admin Center
Deploy, Monitor and Manage in Style with WebSphere Liberty Admin CenterWASdev Community
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Denim Group
 
News from hursley jens diedrichsen - may 2014
News from hursley   jens diedrichsen - may 2014 News from hursley   jens diedrichsen - may 2014
News from hursley jens diedrichsen - may 2014 Jens Diedrichsen
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellDenim Group
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationDenim Group
 
BIG-IP Data Center Firewall Solution
BIG-IP Data Center Firewall SolutionBIG-IP Data Center Firewall Solution
BIG-IP Data Center Firewall SolutionF5 Networks
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSADenim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Denim Group
 

What's hot (20)

Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security World
 
Zimbra versus exchange 2010 presentation
Zimbra versus exchange 2010 presentationZimbra versus exchange 2010 presentation
Zimbra versus exchange 2010 presentation
 
Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb Apps
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security Program
 
VMworld Europe 2014: Preview the Latest Release from AirWatch
VMworld Europe 2014: Preview the Latest Release from AirWatchVMworld Europe 2014: Preview the Latest Release from AirWatch
VMworld Europe 2014: Preview the Latest Release from AirWatch
 
VA_InterConnect2017
VA_InterConnect2017VA_InterConnect2017
VA_InterConnect2017
 
CGM versus SVG
CGM versus SVGCGM versus SVG
CGM versus SVG
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 
DEVNET-1121 Customizing Cisco Video Access for Guests
DEVNET-1121	Customizing Cisco Video Access for GuestsDEVNET-1121	Customizing Cisco Video Access for Guests
DEVNET-1121 Customizing Cisco Video Access for Guests
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
 
Deploy, Monitor and Manage in Style with WebSphere Liberty Admin Center
Deploy, Monitor and Manage in Style with WebSphere Liberty Admin CenterDeploy, Monitor and Manage in Style with WebSphere Liberty Admin Center
Deploy, Monitor and Manage in Style with WebSphere Liberty Admin Center
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
 
News from hursley jens diedrichsen - may 2014
News from hursley   jens diedrichsen - may 2014 News from hursley   jens diedrichsen - may 2014
News from hursley jens diedrichsen - may 2014
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
 
BIG-IP Data Center Firewall Solution
BIG-IP Data Center Firewall SolutionBIG-IP Data Center Firewall Solution
BIG-IP Data Center Firewall Solution
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)
 

Viewers also liked

Viewers also liked (20)

Encoder For Windmill 02
Encoder For Windmill 02Encoder For Windmill 02
Encoder For Windmill 02
 
Ali Gambarchayev
Ali GambarchayevAli Gambarchayev
Ali Gambarchayev
 
Mila - DHET EXAM CENTRE LETTER
Mila - DHET EXAM CENTRE LETTERMila - DHET EXAM CENTRE LETTER
Mila - DHET EXAM CENTRE LETTER
 
Desenvolvimento Mobile Web e PHP no Sinform2010
Desenvolvimento Mobile Web e PHP no Sinform2010Desenvolvimento Mobile Web e PHP no Sinform2010
Desenvolvimento Mobile Web e PHP no Sinform2010
 
Educação inclusiva 2
Educação inclusiva 2Educação inclusiva 2
Educação inclusiva 2
 
Certificate_Anna Pogrebniak_signed
Certificate_Anna Pogrebniak_signedCertificate_Anna Pogrebniak_signed
Certificate_Anna Pogrebniak_signed
 
Gina depaul nomination
Gina depaul nominationGina depaul nomination
Gina depaul nomination
 
Wall Elevation A1
Wall Elevation A1Wall Elevation A1
Wall Elevation A1
 
Trisakti certificate
Trisakti certificateTrisakti certificate
Trisakti certificate
 
Mantenimiento preventivo de teclado
Mantenimiento preventivo de tecladoMantenimiento preventivo de teclado
Mantenimiento preventivo de teclado
 
Curso curicular 4 ano - Knowledge translation
Curso curicular 4 ano - Knowledge translationCurso curicular 4 ano - Knowledge translation
Curso curicular 4 ano - Knowledge translation
 
aa
aaaa
aa
 
Digitron1
Digitron1Digitron1
Digitron1
 
Animal Hospital Elevation
Animal Hospital Elevation Animal Hospital Elevation
Animal Hospital Elevation
 
BSI- Design Controls Cert
BSI- Design Controls CertBSI- Design Controls Cert
BSI- Design Controls Cert
 
Incendios forestales pc
Incendios forestales pcIncendios forestales pc
Incendios forestales pc
 
Http
HttpHttp
Http
 
PHP no mundo Mobile
PHP no mundo MobilePHP no mundo Mobile
PHP no mundo Mobile
 
Introdução ao Spider CPM (5)
Introdução ao Spider CPM (5)Introdução ao Spider CPM (5)
Introdução ao Spider CPM (5)
 
230712 cm incendi empordà
230712 cm incendi empordà230712 cm incendi empordà
230712 cm incendi empordà
 

Similar to A294 fips support in node

A301 ctu madrid2016-monitoring
A301 ctu madrid2016-monitoringA301 ctu madrid2016-monitoring
A301 ctu madrid2016-monitoringMichael Dawson
 
HIA 1015 Speed the Development of Robust Integrations with IBM Integration Bu...
HIA 1015 Speed the Development of Robust Integrations with IBM Integration Bu...HIA 1015 Speed the Development of Robust Integrations with IBM Integration Bu...
HIA 1015 Speed the Development of Robust Integrations with IBM Integration Bu...Karen Broughton-Mabbitt
 
IBM BlueMix Presentation - Paris Meetup 17th Sept. 2014
IBM BlueMix Presentation - Paris Meetup 17th Sept. 2014IBM BlueMix Presentation - Paris Meetup 17th Sept. 2014
IBM BlueMix Presentation - Paris Meetup 17th Sept. 2014IBM France Lab
 
DevOps adoption in the enterprise
DevOps adoption in the enterpriseDevOps adoption in the enterprise
DevOps adoption in the enterpriseSanjeev Sharma
 
How to Balance System Speed and Risk for Multi-Platform Innovation
How to Balance System Speed and Risk for Multi-Platform InnovationHow to Balance System Speed and Risk for Multi-Platform Innovation
How to Balance System Speed and Risk for Multi-Platform InnovationClaudia Ring
 
Bluemix Overview & Demo
Bluemix Overview & DemoBluemix Overview & Demo
Bluemix Overview & DemoIBM
 
AWS DevDay Cologne - CI/CD for modern applications
AWS DevDay Cologne - CI/CD for modern applicationsAWS DevDay Cologne - CI/CD for modern applications
AWS DevDay Cologne - CI/CD for modern applicationsCobus Bernard
 
IBM WebSphere Liberty and Docker Deep Dive
IBM WebSphere Liberty and Docker Deep DiveIBM WebSphere Liberty and Docker Deep Dive
IBM WebSphere Liberty and Docker Deep DiveDavid Currie
 
Track A-3: Drive Innovation & Reduce Costs with Managed Services
Track A-3: Drive Innovation & Reduce Costs with Managed ServicesTrack A-3: Drive Innovation & Reduce Costs with Managed Services
Track A-3: Drive Innovation & Reduce Costs with Managed Servicesscoopnewsgroup
 
A295 nodejs-knowledge-accelerator
A295   nodejs-knowledge-acceleratorA295   nodejs-knowledge-accelerator
A295 nodejs-knowledge-acceleratorMichael Dawson
 
CI/CD best practices for building modern applications - MAD304 - Chicago AWS ...
CI/CD best practices for building modern applications - MAD304 - Chicago AWS ...CI/CD best practices for building modern applications - MAD304 - Chicago AWS ...
CI/CD best practices for building modern applications - MAD304 - Chicago AWS ...Amazon Web Services
 
Optimize your CI/CD with GitLab and AWS
Optimize your CI/CD with GitLab and AWSOptimize your CI/CD with GitLab and AWS
Optimize your CI/CD with GitLab and AWSDevOps.com
 
UrbanCode Deploy DevOps Best Practices
UrbanCode Deploy  DevOps Best PracticesUrbanCode Deploy  DevOps Best Practices
UrbanCode Deploy DevOps Best PracticesMichael Elder
 
CampDevOps keynote - DevOps: Using 'Lean' to eliminate Bottlenecks
CampDevOps keynote - DevOps: Using 'Lean' to eliminate BottlenecksCampDevOps keynote - DevOps: Using 'Lean' to eliminate Bottlenecks
CampDevOps keynote - DevOps: Using 'Lean' to eliminate BottlenecksSanjeev Sharma
 
IBM Connections Cloud Application Development Strategy
IBM Connections Cloud Application Development StrategyIBM Connections Cloud Application Development Strategy
IBM Connections Cloud Application Development StrategyLuis Benitez
 
Service Testing & Virtualization in an Enterprise Environments
Service Testing & Virtualization in an Enterprise EnvironmentsService Testing & Virtualization in an Enterprise Environments
Service Testing & Virtualization in an Enterprise EnvironmentsDevOps for Enterprise Systems
 
Hia 1689-techinical introduction-to_iib
Hia 1689-techinical introduction-to_iibHia 1689-techinical introduction-to_iib
Hia 1689-techinical introduction-to_iibAndrew Coleman
 

Similar to A294 fips support in node (20)

Cascon intro
Cascon introCascon intro
Cascon intro
 
A301 ctu madrid2016-monitoring
A301 ctu madrid2016-monitoringA301 ctu madrid2016-monitoring
A301 ctu madrid2016-monitoring
 
HIA 1015 Speed the Development of Robust Integrations with IBM Integration Bu...
HIA 1015 Speed the Development of Robust Integrations with IBM Integration Bu...HIA 1015 Speed the Development of Robust Integrations with IBM Integration Bu...
HIA 1015 Speed the Development of Robust Integrations with IBM Integration Bu...
 
The Future of DevOps and UrbanCode
The Future of DevOps and UrbanCodeThe Future of DevOps and UrbanCode
The Future of DevOps and UrbanCode
 
IBM BlueMix Presentation - Paris Meetup 17th Sept. 2014
IBM BlueMix Presentation - Paris Meetup 17th Sept. 2014IBM BlueMix Presentation - Paris Meetup 17th Sept. 2014
IBM BlueMix Presentation - Paris Meetup 17th Sept. 2014
 
DevOps adoption in the enterprise
DevOps adoption in the enterpriseDevOps adoption in the enterprise
DevOps adoption in the enterprise
 
How to Balance System Speed and Risk for Multi-Platform Innovation
How to Balance System Speed and Risk for Multi-Platform InnovationHow to Balance System Speed and Risk for Multi-Platform Innovation
How to Balance System Speed and Risk for Multi-Platform Innovation
 
Bluemix Overview & Demo
Bluemix Overview & DemoBluemix Overview & Demo
Bluemix Overview & Demo
 
AWS DevDay Cologne - CI/CD for modern applications
AWS DevDay Cologne - CI/CD for modern applicationsAWS DevDay Cologne - CI/CD for modern applications
AWS DevDay Cologne - CI/CD for modern applications
 
IBM WebSphere Liberty and Docker Deep Dive
IBM WebSphere Liberty and Docker Deep DiveIBM WebSphere Liberty and Docker Deep Dive
IBM WebSphere Liberty and Docker Deep Dive
 
Track A-3: Drive Innovation & Reduce Costs with Managed Services
Track A-3: Drive Innovation & Reduce Costs with Managed ServicesTrack A-3: Drive Innovation & Reduce Costs with Managed Services
Track A-3: Drive Innovation & Reduce Costs with Managed Services
 
A295 nodejs-knowledge-accelerator
A295   nodejs-knowledge-acceleratorA295   nodejs-knowledge-accelerator
A295 nodejs-knowledge-accelerator
 
CI/CD best practices for building modern applications - MAD304 - Chicago AWS ...
CI/CD best practices for building modern applications - MAD304 - Chicago AWS ...CI/CD best practices for building modern applications - MAD304 - Chicago AWS ...
CI/CD best practices for building modern applications - MAD304 - Chicago AWS ...
 
Bluemix cfmeetup
Bluemix cfmeetupBluemix cfmeetup
Bluemix cfmeetup
 
Optimize your CI/CD with GitLab and AWS
Optimize your CI/CD with GitLab and AWSOptimize your CI/CD with GitLab and AWS
Optimize your CI/CD with GitLab and AWS
 
UrbanCode Deploy DevOps Best Practices
UrbanCode Deploy  DevOps Best PracticesUrbanCode Deploy  DevOps Best Practices
UrbanCode Deploy DevOps Best Practices
 
CampDevOps keynote - DevOps: Using 'Lean' to eliminate Bottlenecks
CampDevOps keynote - DevOps: Using 'Lean' to eliminate BottlenecksCampDevOps keynote - DevOps: Using 'Lean' to eliminate Bottlenecks
CampDevOps keynote - DevOps: Using 'Lean' to eliminate Bottlenecks
 
IBM Connections Cloud Application Development Strategy
IBM Connections Cloud Application Development StrategyIBM Connections Cloud Application Development Strategy
IBM Connections Cloud Application Development Strategy
 
Service Testing & Virtualization in an Enterprise Environments
Service Testing & Virtualization in an Enterprise EnvironmentsService Testing & Virtualization in an Enterprise Environments
Service Testing & Virtualization in an Enterprise Environments
 
Hia 1689-techinical introduction-to_iib
Hia 1689-techinical introduction-to_iibHia 1689-techinical introduction-to_iib
Hia 1689-techinical introduction-to_iib
 

More from Michael Dawson

Index 2018 talk to your code
Index 2018   talk to your codeIndex 2018   talk to your code
Index 2018 talk to your codeMichael Dawson
 
Index 2018 node.js what's next
Index 2018   node.js what's nextIndex 2018   node.js what's next
Index 2018 node.js what's nextMichael Dawson
 
N api - node interactive 2017
N api - node interactive 2017N api - node interactive 2017
N api - node interactive 2017Michael Dawson
 
N api-node summit-2017-final
N api-node summit-2017-finalN api-node summit-2017-final
N api-node summit-2017-finalMichael Dawson
 
Accelerate your digital transformation
Accelerate your digital transformationAccelerate your digital transformation
Accelerate your digital transformationMichael Dawson
 
Node.js Community Benchmarking WG update
Node.js Community  Benchmarking WG updateNode.js Community  Benchmarking WG update
Node.js Community Benchmarking WG updateMichael Dawson
 
Post mortem talk - Node Interactive EU
Post mortem talk - Node Interactive EUPost mortem talk - Node Interactive EU
Post mortem talk - Node Interactive EUMichael Dawson
 
Update from-build-workgroup
Update from-build-workgroupUpdate from-build-workgroup
Update from-build-workgroupMichael Dawson
 
Micro app-framework - NodeLive Boston
Micro app-framework - NodeLive BostonMicro app-framework - NodeLive Boston
Micro app-framework - NodeLive BostonMichael Dawson
 
Node liveboston welcome
Node liveboston welcomeNode liveboston welcome
Node liveboston welcomeMichael Dawson
 
Node home automation with Node.js and MQTT
Node home automation with Node.js and MQTTNode home automation with Node.js and MQTT
Node home automation with Node.js and MQTTMichael Dawson
 

More from Michael Dawson (15)

Index 2018 talk to your code
Index 2018   talk to your codeIndex 2018   talk to your code
Index 2018 talk to your code
 
Index 2018 node.js what's next
Index 2018   node.js what's nextIndex 2018   node.js what's next
Index 2018 node.js what's next
 
N api - node interactive 2017
N api - node interactive 2017N api - node interactive 2017
N api - node interactive 2017
 
N api-node summit-2017-final
N api-node summit-2017-finalN api-node summit-2017-final
N api-node summit-2017-final
 
Accelerate your digital transformation
Accelerate your digital transformationAccelerate your digital transformation
Accelerate your digital transformation
 
Ask us anything v9
Ask us anything v9Ask us anything v9
Ask us anything v9
 
Node.js Community Benchmarking WG update
Node.js Community  Benchmarking WG updateNode.js Community  Benchmarking WG update
Node.js Community Benchmarking WG update
 
Post mortem talk - Node Interactive EU
Post mortem talk - Node Interactive EUPost mortem talk - Node Interactive EU
Post mortem talk - Node Interactive EU
 
Update from-build-workgroup
Update from-build-workgroupUpdate from-build-workgroup
Update from-build-workgroup
 
Node fips
Node fipsNode fips
Node fips
 
Micro app-framework - NodeLive Boston
Micro app-framework - NodeLive BostonMicro app-framework - NodeLive Boston
Micro app-framework - NodeLive Boston
 
Node liveboston welcome
Node liveboston welcomeNode liveboston welcome
Node liveboston welcome
 
Micro app-framework
Micro app-frameworkMicro app-framework
Micro app-framework
 
Node home automation with Node.js and MQTT
Node home automation with Node.js and MQTTNode home automation with Node.js and MQTT
Node home automation with Node.js and MQTT
 
Java one 2015 - v1
Java one   2015 - v1Java one   2015 - v1
Java one 2015 - v1
 

Recently uploaded

Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxMasterG
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024Lorenzo Miniero
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfdanishmna97
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAnitaRaj43
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfalexjohnson7307
 
الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهMohamed Sweelam
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)Samir Dash
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMKumar Satyam
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxFIDO Alliance
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...ScyllaDB
 
CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)Wonjun Hwang
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfAnubhavMangla3
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Skynet Technologies
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...FIDO Alliance
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!Memoori
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsLeah Henrickson
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...ScyllaDB
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxFIDO Alliance
 

Recently uploaded (20)

Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdf
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهله
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 

A294 fips support in node

  • 1. A294 Node.js – FIPS 140-2 support in Node.js Michael Dawson, IBM Runtime Technologies
  • 2. © 2016 IBM Corporation 2 About Michael Dawson Senior Software Developer @ IBM IBM Runtime Technologies Node.js Technical Lead Node.js collaborator and CTC member Active in LTS, build, benchmarking , api and post-mortem working groups Contact me: michael_dawson@ca.ibm.com Twitter: @mhdawson1 https://www.linkedin.com/in/michael-dawson-6051282
  • 3. © 2016 IBM Corporation 3 Agenda • Node.js quick intro • FIPS 140-2 intro • OpenSSL integration • Community History • Command Line Options • Gotchas – What to look out for • Bluemix Example • Express Example
  • 4. © 2016 IBM Corporation 4 Node.js – Quick Intro
  • 5. © 2016 IBM Corporation 5 Node.js – Quick Intro • JavaScript != Java • Node.js = Server-side JavaScript • Event-oriented • Non-blocking • Asynchronous • Uses OpenSSL as cryptographic library
  • 6. http://www.modulecounts.com/ © 2016 IBM Corporation • There is a module for that • 300K modules • #1 on module counts • #1 on Github (#projects) • #1 on StackOverflow(2015) Node.js – Quick Intro 6
  • 7. © 2016 IBM Corporation • Most used runtime in Bluemix TM Node.js – Quick Intro 7
  • 8. © 2016 IBM Corporation V8 – Javascript Engine V8 JavaScript Engine Libuv Other Dependencies ICU Cares Zlib http_parser … Node Binding Layer Operating System Node Libraries Modules (npm or local) + Application OpenSSL Node.js – Quick Intro 8
  • 9. © 2016 IBM Corporation 9 Node.js – crypto APIs https://nodejs.org/api/crypto.html • Certificate • Cipher • Decipher • DiffieHellman • ECDH • Hash • HMAC • Sign • Verify
  • 10. © 2016 IBM Corporation 10 Node.js – HTTPS https://nodejs.org/api/https.html • HTTPS
  • 11. © 2016 IBM Corporation 11 Node.js – HTTPS Example
  • 12. © 2016 IBM Corporation 12 FIPS Intro
  • 13. © 2016 IBM Corporation 13 FIPS Intro – Why • Cryptography is an important Tool • Provides a way to evaluate modules • May be contract requirements !
  • 14. © 2016 IBM Corporation 14 • Federal Information Processing Standard (FIPS) – Publication 140-2 Security Requirements for Cryptographic Modules • US government security standard • Co-developed with Canadian Communications Security Establishment (CSE) • Independent labs do evaluation http://csrc.nist.gov/groups/STM/cmvp/standards.html FIPS Intro
  • 15. © 2016 IBM Corporation 15 1. Cryptographic Module Specification 2. Cryptographic Module Ports and Interfaces 3. Roles, Services, and Authentication 4. Finite State Model 5. Physical Security 6. Operational Environment 7. Cryptographic Key Management 8. Electromagnetic Interference/Electromagnetic Compatibility (EMI/EMC) 9. Self Tests 10.Design Assurance 11.Mitigation of Other Attack FIPS Intro – Evaluation Areas
  • 16. © 2016 IBM Corporation 16 FIPS Intro - Levels • 4 Levels • Level 1 • 1+ approved algorithms • Level 2 • Tamper evidence • Level 3 • Zeroization • Level 4 • Response to all tamper attempts Software Generally limited To Level 1 !
  • 17. © 2016 IBM Corporation 17 FIPS Intro • Approved Security Functions http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf • AES, Triple-DES • DSS, DSA, RSA and ECDSA • SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA- 512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256 No MD5 !
  • 18. © 2016 IBM Corporation 18 Node.js – HTTPS https://nodejs.org/api/https.html • HTTPS • Additional constraints may apply – ex: • https://wiki.openssl. org/index.php/FIPS_ mode_and_TLS • --tls-cipher-list
  • 19. © 2016 IBM Corporation 19 FIPS Intro – Europe ? • Common Criteria • EAL 1 through 7 • Different profiles • FIPS still used/potentially accepted • Higher availability • Recommendations for TSPs - https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=7&ved=0ahUKEwjm- oqC0bXPAhUJ4SYKHf3wDV4QFghGMAY&url=https%3A%2F%2Fwww.enisa.europa.eu%2Fpublications%2F tsp1-framework%2Fat_download%2FfullReport&usg=AFQjCNGe0RewmuzZL4AWyDmy00o- T0TLfA&sig2=EPdoyDyU6rA93SIBuuDEmw&cad=rja
  • 20. OpenSSL Integration © 2016 IBM Corporation 20
  • 21. OpenSSL Integration © 2016 IBM Corporation • Node.js Leverages OpenSSL certifications • FIPs on for Linux so far • https://www.openssl.org/ 21
  • 22. © 2016 IBM Corporation 22 OpenSSL Integration - Certifcation • http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val- all.htm#1747
  • 23. © 2016 IBM Corporation 23 OpenSSL Integration – Security Guide • Security Policy (36 pages) • https://www.openssl.org/docs/fips/SecurityPolicy-2.0.9.pdf • User Guide (221 pages) • https://www.openssl.org/docs/fips/UserGuide-2.0.pdf • Trusted Path Requirement • User Affirmation
  • 24. © 2016 IBM Corporation 24 OpenSSL Integration fipscanister.o OpenSSL/ libcrypto.a $(OPENSSLDIR)/fips/fipsld –o …. If (FIPS_mode_set(1)) { … } else { // indicate error }
  • 25. © 2016 IBM Corporation 25 Building • https://github.com/n odejs/node/blob/ma ster/BUILDING.md • Must follow to the letter
  • 26. © 2016 IBM Corporation 26 OpenSSL Integration – Application • Just using FIPS capable Node.js is not enough • You have to use correctly (ex TLS example) • Demonstrate to ‘customer’ you did the right thing • It is, however, an enabler
  • 27. © 2016 IBM Corporation 27 Community History
  • 28. © 2016 IBM Corporation 28 Community History • May 2015 – discussion starts • https://github.com/nodejs/node-v0.x-archive/issues/25463 • Jun 2015 – PR 1890
  • 29. © 2016 IBM Corporation 29 Community History • Nov 2015 – Issue 3760 • PRs 3752, 3753, 3754, 3755, 3756, 3757, 3758,3759 • Added to community CI
  • 30. © 2016 IBM Corporation 30 Community History • Dec 2015 – NPM cleanup • Feb 2016 – Command Line Improvement
  • 31. © 2016 IBM Corporation 31 API and runtime options (v6.x)
  • 32. © 2016 IBM Corporation 32 API and runtime options (v6.x) • Command Line: • --enable-fips • --force-fips • API • -crypto.fips • OpenSSL Config file [ evp_sect ] # Set to "yes" to enter FIPS mode if supported fips_mode = yes
  • 33. © 2016 IBM Corporation 33 API and runtime options (v6.x) • Force prevents change
  • 34. © 2016 IBM Corporation 34 API and runtime options (v6.x) • You need to be state aware • Error if already enabled
  • 35. © 2016 IBM Corporation 35 Validating you have right version
  • 36. © 2016 IBM Corporation 36 Gotchas
  • 37. © 2016 IBM Corporation 37 Gotchas • Existing code may no longer run © 2016 IBM Corporation
  • 38. OPENSSL_FIPS=1 openssl req -x509 -newkey rsa:2048 -keyout httpd.key.pem - out httpd.crt.pem -days XXX • Certificates and keys • Generation • Only use FIPs algorithms • Generate with FIPs module © 2016 IBM Corporation 38 Gotchas const options = { key: fs.readFileSync('key.pem'), cert: fs.readFileSync('cert.pem') };
  • 39. Bluemix Example © 2016 IBM Corporation 39
  • 40. cf set-env FIPS_MODE true Try it on out on Bluemix
  • 41.
  • 42.
  • 43.
  • 44. Express Example © 2016 IBM Corporation 44
  • 45. Express Example © 2016 IBM Corporation 45
  • 46. Express Example © 2016 IBM Corporation 46
  • 47. © 2016 IBM Corporation 47 Summary • Node.js quick intro • FIPS 140-2 intro • OpenSSL integration • Community History • Command Line Options • Gotchas – What to look out for • Bluemix Example • Express Example
  • 48. Michael Dawson Thank you very much. IBM Runtime Technologies michael_dawson@ca.ibm.com © 2016 IBM Corporation 48
  • 49. © 2016 IBM Corporation 49 Your feedback is valuable Please complete your session or lab evaluation! Session number [A294] Provide your evaluations by: Evaluation forms: Fill out a form at the end of each session Paper forms are located in each of the session or lab rooms Complete the session survey on Event Connect Portal: https://portal.ibmeventconnect.com/ma drid2016 Select Sessions, then Session Finder, and complete the survey - Or -
  • 50. IBMTA16 Twitter @IBMCloud | @IBMWebSphere LinkedIn IBM Cloud YouTube IBM Cloud | IBM WebSphere Facebook IBM Cloud ibmcloud Facebook Event Page IBM Techical Academy 2016 websphere
  • 51. Copyright © 2016 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM. U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM. Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided. Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation. It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.
  • 52. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right. • IBM, the IBM logo, ibm.com, Aspera®, Bluemix, Blueworks Live, CICS, Clearcase, Cognos®, DOORS®, Emptoris®, Enterprise Document Management System™, FASP®, FileNet®, Global Business Services ®, Global Technology Services ®, IBM ExperienceOne™, IBM SmartCloud®, IBM Social Business®, Information on Demand, ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, Smarter Commerce®, SoDA, SPSS, Sterling Commerce®, StoredIQ, Tealeaf®, Tivoli®, Trusteer®, Unica®, urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml. • Node.js is an official trademark of Joyent. IBM SDK for Node.js is not formally related to or endorsed by the official Joyent Node.js open source or commercial project. • Java, JavaScript and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. • npm is a trademark of npm, Inc.