Issue with Jupyter notebook - Incomplete response received from application when FIPS enabled

Hi. I’m going through the directions on getting Jupyter running in OnDemand and have hit a snag which I’m not sure anyone will be able to do anything about, but I wanted to at least mention it.

I kept getting an Incomplete response received from application immediately when trying to launch the Jupyter app. The cluster was running a job, the output log indicated jupyter notebook was running (verified it was on the cluster node), so that all looked good. I looked at the pun error log and saw this message printed:

App 3142 output: md5_dgst.c(82): OpenSSL internal error, assertion failed: Digest MD5 forbidden in FIPS mode!

I restarted the ondemand server, disabling FIPS mode and that error went away, and I was then offered the ability to connect to the notebook. That part didn’t work, but for a different reason, however, is there any ability to not use md5 here so that we could possibly enable FIPS mode?

Just a heads up: If you enable FIPS mode, you will not be able to install the MRI image processing program FreeSurfer, which uses crypt to encode its license. Just in case that may matter to you.

Hi! Thanks for the heads up. Finding in Rails documentation - we should have upgraded to sha1. What version of OnDemand are you running? It seems like this should be the default in 2.0 and possibly 1.8 (I can’t recall off the top that 1.8 is rails 5.2 - but I believe it is).

You may be able to drop this file here in /etc and set this config to true.

# /etc/ood/config/apps/dashboard/initializers/sha1_digest.rb

Rails.application.config.active_support.use_sha1_digests = true

I’m using version 2.0.13. Let me try that option for the dashboard and see what happens.

Nope, still is trying md5 digests.

I also tried uncommenting the same line in /var/www/ood/apps/sys/dashboard/config/initializers/new_framework_defaults_5_2.rb

You were sure to restart your PUN as well?

I restarted the PUN, and restarted the entire OOD server as well just to make sure.