cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Wolfie17
Cadet
Cadet
‎06-25-2025 05:58 PM
  • 502 Views

Seeking Recommendations for Secure RHEL Production Architecture (FIPS, SELinux, Puppet)

We’re currently migrating all our applications to RHEL (Red Hat Enterprise Linux) systems and are fairly new to Linux-based production deployments. We're looking for guidance on how to build a secure, scalable, and production-grade environment.

Areas where we seek input:

Storage

  • For application data and shared volumes, would you recommend SMB or CephFS in production?

  • We need storage that is resilient, supports shared access, and minimizes latency across nodes.

  • Any storage from redhat , which can be used ?

Load Balancing

  • We're planning to use Apachef5 for load balancing.

  • What are some best practices, performance tuning tips, or common pitfalls we should be aware of?

  • RedHat enterprise edition is it comes load balancer offering by default?

Security Hardening

We want to follow industry best practices in securing our Linux hosts:

  • SSH hardening (disabling root login, enforcing key-based authentication)

  • SELinux (permissive for testing, enforcing in production — with proper context and labeling)

  • firewalld and iptables configuration

  • Port whitelisting and service-level access control

If you have any checklists, hardening guides, or reference architectures for RHEL production environments, they would be very helpful.

Configuration Management

  • We're using Puppet (not Ansible) as our configuration management tool for package installations, permissions, and custom configurations.

Security Questions & Observations

We've been exploring system-wide cryptographic hardening and have some questions:

  • FIPS Mode: We tried enabling FIPS after the system was installed, but the system failed to boot post-reboot. What’s the correct and safe way to enable FIPS on RHEL?

  • System-wide cryptographic policies: Are these mandatory for all use cases? We've noticed that enabling strict policies can break compatibility with some applications due to unsupported ciphers.

  • PKCS #11 / Hardware security integration: Under what circumstances is cryptographic hardware (via PKCS #11) required? Is it necessary in typical enterprise deployments?

Looking for:

  • Real-world examples or production deployment patterns

  • Architecture diagrams for multi-node Linux environments (especially with WSO2)

  • Security compliance checklists (e.g., CIS Benchmarks for RHEL)

  • Operational readiness checklists for Linux-based services

Any guidance or references would be highly appreciated as we move towards a production launch.

Labels (2)
Labels
Join the discussion
1 Reply
Chetan_Tiwary_
Community Manager
Community Manager
‎06-27-2025 09:10 PM
  • 433 Views

@Wolfie17 I strongly recommend you to get in touch with Red Hat team / consultants for this infrastructure migration / design here : https://www.redhat.com/en/contact 

https://www.redhat.com/en/services/consulting 

However, I can help you with basic details that you are seeking with the best of my knowledge :

1. Since you are migrating to RHEL server - unless you have a windows clients - I strongly recommend CephFS which is also supported by Openshift (  future planning ! ).

2. No Load balancing does not come by default. You can have HAProxy or pacemaker. 

3. Typical Load balancing settings  include load balancing algorithms, session persistence, health checks, and security features like SSL termination, load balancer cookies, health checks for TCP, HTTP etc.

4. You have already mentioned the security hardening tips for SSH, firewall, port, selinux. Please refer here the OSCAP guide : https://complianceascode.github.io/content-pages/guides/ssg-rhel9-guide-e8.html 

5. Puppet is fine as it supports FIPS : https://www.puppet.com/docs/pe/2025.0/supported_operating_systems.html 

for puppet related selinux module :  https://github.com/voxpupuli/puppet-selinux 

6. FIPS enabling in RHEL  related stuff : https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/security_hardening/switchin... 

https://access.redhat.com/en/compliance/fips 

Here refer some architecture :

how the Ceph File System components interact with each other :

Chetan_Tiwary__0-1751054627376.png

Basic OpenStack infrastructure components which are highly available, and nodes use the Pacemaker add-on for Red Hat Enterprise Linux together with HAProxy :

 

Chetan_Tiwary__1-1751054850414.png

 

0 Kudos
Join the discussion
You must log in to join this conversation.
Red Hat Learning Community

Red Hat

Learning Community

A collaborative learning environment, enabling open source skill development.

Red Hat Inc. Copyright ?2025 Red Hat, Inc. Privacy policy Terms of use