Guides
IL4 Air-Gapped Deployment Guide
Complete deployment guide for ABS Core in DoD Impact Level 4 (CUI / National Security Systems) environments with zero internet dependency.
IL4 Air-Gapped Deployment Guide
Overview
This guide covers deployment of ABS Core in DoD Impact Level 4 (IL4) environments — Controlled Unclassified Information (CUI) and National Security Systems (NSS) — with zero internet connectivity.
Prerequisites (all required before proceeding):
- Authority to Operate (ATO) or Interim ATO from a DoD Authorizing Official
- FIPS 140-3 validated hardware (RHEL 9 or Ubuntu 22.04 FIPS mode active)
- TPM 2.0 chip available on deployment hardware
- DoD PKI certificates issued by a DoD CA
- Personnel with appropriate clearances (CUI minimum)
Architecture: Cloud-Zero Mode
In IL4 mode, every cloud dependency is disabled or replaced:
| Component | Cloud (dev) | Air-Gap (IL4) |
|---|---|---|
| CORTEX storage | Cloudflare D1 | PostgreSQL local + pgvector |
| LEDGER | Cloudflare Worker + D1 | Node.js process + SQLite |
| QUORUM | Cloudflare Worker + Upstash | Node.js process + Redis local |
| TSA timestamps | FreeTSA.org / DigiCert | ABS Internal TSA (@abs-core/tsa-internal) |
| Key storage | PEM file | TPM 2.0 sealed key |
| Authentication | API keys | DoD PKI mTLS + CAC |
| LLM (CORTEX) | Azure AI / OpenAI | Ollama local model |
| Embeddings | text-embedding-3-small | nomic-embed-text (Ollama) |
| Updates | npm / pip | Signed TAR bundles |
Step 1: Verify FIPS Mode
# Check kernel FIPS
cat /proc/sys/crypto/fips_enabled # Must return 1
# Check OpenSSL FIPS
openssl version -a # Must show OpenSSL 3.x with FIPS
# RHEL 9
fips-mode-setup --check # "FIPS mode is enabled"
# Ubuntu 22.04
ua status | grep fips # "fips-updates: enabled"If FIPS is not active:
# RHEL 9
sudo fips-mode-setup --enable
sudo reboot
# Ubuntu 22.04 (requires Ubuntu Pro subscription)
sudo ua enable fips-updates
sudo rebootStep 2: TPM 2.0 Key Initialization
# Verify TPM 2.0 available
tpm2_getcap handles-persistent
# Generate ABS Core signing key (sealed to PCRs 0, 1, 7, 11)
# This binds the key to the current boot state
export ABS_IMPACT_LEVEL=4
export ABS_KEY_DIR=/etc/abs-core/keys
node -e "
const { resolveHardwareKeyProvider } = require('@abs-core/identity/tpm2-key-provider');
resolveHardwareKeyProvider('$ABS_KEY_DIR').then(({ source }) => {
console.log('Key provider:', source);
}).catch(e => { console.error(e.message); process.exit(1); });
"
# Verify key in TPM
tpm2_getcap handles-persistent | grep 0x81000001
# Run attestation (verify boot state matches key creation)
node -e "
const { TPM2KeyProvider } = require('@abs-core/identity/tpm2-key-provider');
const p = new TPM2KeyProvider('/etc/abs-core/keys');
p.attest().then(r => {
console.log('Boot state valid:', r.bootStateValid);
if (!r.bootStateValid) {
console.error('PCR mismatch:', r.mismatchedPCRs);
process.exit(1);
}
});
"Step 3: DoD PKI Configuration
# Download DoD trust bundle (from approved media in air-gap)
sudo mkdir -p /etc/abs-core/pki
sudo cp /media/approved-transfer/dod-trust-bundle.pem /etc/abs-core/pki/
# Install server certificate from DoD PKI
sudo cp /media/approved-transfer/abs-core-server.crt /etc/abs-core/pki/
sudo cp /media/approved-transfer/abs-core-server.key /etc/abs-core/pki/
sudo chmod 600 /etc/abs-core/pki/abs-core-server.key
sudo chown abscore:abscore /etc/abs-core/pki/abs-core-server.key
# Configure ABS Core
export ABS_DOD_CA_BUNDLE=/etc/abs-core/pki/dod-trust-bundle.pem
export ABS_MTLS_CERT=/etc/abs-core/pki/abs-core-server.crt
export ABS_MTLS_KEY=/etc/abs-core/pki/abs-core-server.keyStep 4: Local Infrastructure (No Cloud)
# Start PostgreSQL with pgvector (local)
docker run -d --name abs-postgres \
--network none \
-e POSTGRES_USER=abs \
-e POSTGRES_PASSWORD=<strong-password> \
-e POSTGRES_DB=abs_core \
pgvector/pgvector:pg16
# Start Redis (local, no Upstash)
docker run -d --name abs-redis \
--network none \
redis:7-alpine \
redis-server --requirepass <strong-password>
# Start Ollama (local LLM — no internet)
# Download models offline, load from approved media
ollama pull llama3.2
ollama pull nomic-embed-textStep 5: Environment Configuration (IL4)
cat > /etc/abs-core/env.il4 << 'EOF'
# ABS Core IL4 Air-Gap Configuration
ABS_IMPACT_LEVEL=4
ABS_ENV=production
ABS_FIPS_MODE=strict
CORTEX_ENV=production
# Crypto
CORTEX_SIGNING_KEY_PASSWORD=<from-hsm-or-tpm>
ABS_KEY_PASSWORD=<from-hsm-or-tpm>
OCTAGON_GRPC_TOKEN=<generate: openssl rand -hex 32>
ABS_IPC_HMAC_SECRET=<generate: openssl rand -hex 32>
# Storage (local, no cloud)
DATABASE_URL=postgres://abs:<password>@localhost:5432/abs_core
REDIS_URL=redis://:<password>@localhost:6379
VECTOR_PROVIDER=pgvector
# LLM (local Ollama — no internet)
LLM_PROVIDER=ollama
LLM_BASE_URL=http://localhost:11434
LLM_CHAT_MODEL=llama3.2
LLM_EMBED_MODEL=nomic-embed-text
# DoD PKI
ABS_DOD_CA_BUNDLE=/etc/abs-core/pki/dod-trust-bundle.pem
ABS_MTLS_CERT=/etc/abs-core/pki/abs-core-server.crt
ABS_MTLS_KEY=/etc/abs-core/pki/abs-core-server.key
# TSA (internal — no FreeTSA.org)
ABS_RFC3161_ENABLED=true
ABS_TSA_INTERNAL=true
ABS_TSA_EXTERNAL_ENABLED=false
# Disable all cloud features
ABS_CLOUD_ZERO=true
ABS_CLOUDFLARE_ENABLED=false
EOF
sudo chmod 600 /etc/abs-core/env.il4
sudo chown abscore:abscore /etc/abs-core/env.il4Step 6: STIG Hardening
# Run STIG hardening playbook
ansible-playbook \
-i inventory/il4-servers.yml \
security/ansible/stig-harden.yml \
-e "abs_impact_level=4 fips_required=true"
# Verify SELinux enforcing
sestatus | grep "SELinux status" # enforcing
# Verify auditd is active
systemctl status auditd # active (running)
# Check for STIG violations
sudo oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_stig \
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xmlStep 7: Deploy ABS Core Services
# Load environment
source /etc/abs-core/env.il4
# Apply database migrations
make migrate
# Start services (systemd, not Docker in production)
sudo systemctl enable --now abs-cortex abs-ledger abs-quorum abs-chi
# Verify all services
systemctl status abs-cortex abs-ledger abs-quorum abs-chi
# Verify LEDGER health
curl --cacert /etc/abs-core/pki/dod-trust-bundle.pem \
--cert /etc/abs-core/pki/abs-core-server.crt \
--key /etc/abs-core/pki/abs-core-server.key \
https://localhost:8092/healthStep 8: Validation
# Run IL4 validation suite
ABS_IMPACT_LEVEL=4 make test-e2e
# Verify FIPS crypto compliance
python3 -c "
from cortex_engine.fips import check_fips_status
s = check_fips_status()
print('FIPS enabled:', s.fips_enabled)
print('Level:', s.compliance_level)
assert s.fips_enabled, 'FIPS must be active for IL4'
print('PASSED: FIPS 140-3 active')
"
# Verify TPM attestation
node -e "
const { TPM2KeyProvider } = require('@abs-core/identity/tpm2-key-provider');
const p = new TPM2KeyProvider();
p.attest().then(r => {
if (!r.bootStateValid) process.exit(1);
console.log('PASSED: TPM boot state valid');
});
"Offline Update Procedure
For air-gapped environments, software updates are delivered via signed TAR bundles:
# On internet-connected workstation (approved update station):
make build-offline-bundle VERSION=4.5.1
# Bundle is signed with release Ed25519 key:
# abs-core-4.5.1-offline.tar.gz
# abs-core-4.5.1-offline.tar.gz.sig
# Transfer to air-gapped system via approved media
# Verify signature before installing:
openssl dgst -sha384 \
-verify /etc/abs-core/pki/abs-core-release.pub.pem \
-signature abs-core-4.5.1-offline.tar.gz.sig \
abs-core-4.5.1-offline.tar.gzCompliance Checklist
Before requesting ATO:
- FIPS 140-3 active (
/proc/sys/crypto/fips_enabled = 1) - TPM 2.0 keys generated and attested
- DoD PKI certificates installed and validated
- SELinux enforcing with ABS Core policies loaded
- STIG hardening playbook executed (zero critical findings)
- Auditd configured with ABS Core rules
- No cloud dependencies in IL4 mode
- All services running under systemd with hardening directives
- mTLS verified between all pillar communications
- Bell-LaPadula MLS policies tested (
opa test policies/) - CUI labels configured in LEDGER
- Incident Response plan documented
- Personnel clearances verified
- SSP submitted to AO for review