You are here:

Security and Encryption

The security and encryption options in the installer allow administrators to encrypt the connection to the database repository. The FIPS option (in BETA), ensures that the platform operates with FIPS compliant encryption libraries. The SELinux policy option deploys policies on Red Hat 9 servers that allow Pyramd services to run with SELinux enforced.

Encryption Certificate Uploads

If you decide to have an encrypted connection to the repository, check the box and then upload a ZIP file with relevant public certificates. You need to add one or more such certificates to the zip file for the operation to succeed.

For more information on encryption click here.

FIPS (BETA)

FIPS standards are either recommended or mandated for use in federal government-operated IT systems in the United States and Canada. They ensure that the encryption libraries used meet the standards set by governmental bodies.

Checking the FIPS box enables these libraries in Pyramid. However, making the platform FIPS compliant involved numerous other aspects, ranging from the host operating systems, to the data stores and the SSO identity management framework.

FIPS is a BETA feature. It should be thoroughly tested before pushing into production.

If you are unsure about FIPS, do NOT enable this feature.

For a detailed explanation of FIPS and information on how to configure the Pyramid Platform for FIPS, please consult the FIPS Compliance guide.

SELinux Policies (BETA)

As of version 2025.01, Pyramid includes a package of SELinux policies for Red Hat 9 deployments, that allows Pyramid to operate with SELinux enforced. The mechanism to deploy these policies is triggered during installation:

For fresh installs on RHEL9 using the installer UI, check the SELinux option on the security page when prompted.
For fresh installs on RHEL9 using the terminal console, set the SELinux option to "y" when prompted.
For fresh installs on RHEL9 using the unattended installer, ensure the "SELinux" option is set to 1.
For upgrades, where the SELinux policy has not been previously deployed, admins must add a new entry in the config.ini file under the machine section "SELinux=1". This must be done before the upgrade process has been initiated to rigger deployment. Once set, it doesn't need to be reset in the future.

The SELinux policy option is a BETA feature. It should be thoroughly tested before pushing into production.

If you are unsure about SELinux, do NOT enable this feature.

Feedback

Couldn't find what I was looking for

Help was confusing, unclear or incomplete

Instructions didn't work