Prerequisites

Required prerequisites for FIPS for CDP.

About CDP with FIPS

Known Issues

Unsupported Features

  • Upgrades are not currently supported to or from CDP with FIPS.

  • Replication is not currently supported.

System Requirements

  • Operating system: RHEL/Centos 7.8
  • Java: OpenJDK 8 / Oracle JDK 8
  • Install and configure a database. See Step 4. Install and Configure Databases

Supported CDP Versions

  • Cloudera Manager versions 7.2.4, 7.3.1

  • CDP Private Cloud Base versions 7.1.5, 7.1.6

Supported CDP Components

The following components are supported in FIPS mode:

  • Atlas

  • Avro
  • Cloudera Manager

  • Cruise Control
  • Hadoop
  • Hadoop Credential Provider
  • HDFS

  • HBase

  • Hive

  • Hive-on-Tez
  • Hive Meta Store
  • Hive Warehouse Connector
  • Hue
  • Impala
  • Kafka

  • Kerberos
  • Key Trustee Server
  • Knox
  • Kudu
  • Livy
  • MapReduce
  • Oozie
  • Parquet
  • Queue Manager
  • Ranger

  • Schema Registry
  • Streams Messaging Manager
  • Streams Replication Manager (Technical Preview)
  • Solr

  • Spark

  • Sqoop
  • Tez

  • TLS
  • YARN

  • ZooKeeper

Step 1: Prepare hosts

  1. Check the available entropy. Cryptographic operations require entropy to ensure randomness.
  2. Configure the operating system for FIPS.
  3. On all hosts, run one of the following commands to verify that FIPS mode is enabled:
    cat /proc/sys/crypto/fips_enabled
    sysctl crypto.fips_enabled
  4. Configure a repository to install Cloudera Manager and other required packages.
    1. On the Cloudera Manager server host, download the repository file for your operating system and version:
      https://[username]:[password]@archive.cloudera.com/p/cm7/7.2.4/redhat7/yum/cloudera-manager.repo
    2. Open the /etc/yum.repos.d/cloudera-manager.repo file in a text editor and replace the changeme placeholder values with your user name and password.
      [cloudera-manager]
      name=Cloudera Manager 7.2.4
      baseurl=https://archive.cloudera.com/p/cm7/7.2.4/redhat7/yum/
      gpgkey=https://archive.cloudera.com/p/cm7/7.2.4/redhat7/yum/
      RPM-GPG-KEY-cloudera
      username=changeme
      password=changeme
      gpgcheck=1
      enabled=1
      autorefresh=0
      type=rpm-md
    3. If your hosts do not have access to https://archive.cloudera.com, you will need to set up a local repository. See Configuring a Local Package Repository.
  5. Manually install OpenJDK 8 or Oracle JDK 8 on all hosts.
  6. Download and Install CryptoComply for Java (CC for Java) SafeLogic - Java JCE Provider on all hosts:
    1. Download the SafeLogic CC Java module JAR file from https://archive.cloudera.com/p/fips-ea/safelogic.
    2. Copy the ccj-3.0.1 (1).jar file to $JAVA_HOME/jre/lib/ext.
  7. Add the following to the $JAVA_HOME/jre/lib/security/java.policy file.
    //CCJ Java Permissions
    permission java.lang.RuntimePermission "getProtectionDomain";
    permission java.lang.RuntimePermission "accessDeclaredMembers";
    permission java.util.PropertyPermission "java.runtime.name", "read";
    permission java.security.SecurityPermission "putProviderProperty.CCJ";
    //CCJ Key Export and Translation
    permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "exportKeys";
    //CCJ SSL
    permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";
    //CCJ Setting of Default SecureRandom
    permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "defaultRandomConfig";
    //CCJ Setting CryptoServicesRegistrar Properties
    permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "globalConfig";
    //CCJ Enable JKS
    permission com.safelogic.cryptocomply.jca.enable_jks "true";
  8. Add the following to the $JAVA_HOME/jre/lib/security/java.security file.
    #
    # List of providers and their preference orders (see above):
    #
    security.provider.1=com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider
    security.provider.2=sun.security.provider.Sun
    security.provider.3=sun.security.rsa.SunRsaSign
    security.provider.4=sun.security.ec.SunEC
    security.provider.5=com.sun.net.ssl.internal.ssl.Provider
    security.provider.6=com.sun.crypto.provider.SunJCE
    security.provider.7=sun.security.jgss.SunProvider
    security.provider.8=com.sun.security.sasl.Provider
    security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI

Step 2: Install and configure the SafeLogic modules and packages

  1. Download the CryptoComply for Libgcrypt (CC for Libgcrypt) and CryptoComply for Server (CC for Server) SafeLogic modules and packages from https://archive.cloudera.com/p/fips-ea/safelogic.
  2. Copy the CryptoComply for Server (CCS) - OpenSSL RPMs to all hosts.
    1. Unzip the download.
    2. Run the following command to install the packages.
      yum localinstall -y openssl-1.0.2v-1.el7.centos.x86_64.rpm \                 
      openssl-devel-1.0.2v-1.el7.centos.x86_64.rpm \                 
      openssl-libs-1.0.2v-1.el7.centos.x86_64.rpm \                 
      openssl-perl-1.0.2v-1.el7.centos.x86_64.rpm \                 
      openssl-static-1.0.2v-1.el7.centos.x86_64.rpm
  3. Copy the CryptoComply for Libgcrypt RPMs to all hosts.
    1. Unzip the file.
    2. Run the following command to install the packages.
      yum localinstall -y libgcrypt-1.5.3-12.el7.centos.1.x86_64.rpm

Step 3: Install Cloudera Manager server

  1. Log in to the Cloudera Manager server host.
  2. Run the following command to install Cloudera Manager server.
    sudo yum install cloudera-manager-daemons cloudera-manager-agent cloudera-manager-server
  3. Add the following line at the end of the /etc/default/cloudera-scm-server file:
    export CMF_JAVA_OPTS="${CMF_JAVA_OPTS} -Dcom.cloudera.cmf.fipsMode=true -Dcom.safelogic.cryptocomply.fips.approved_only=true"

Step 4: Validate the CCJ and CCS installation

Run the following commands on each host to validate the CCJ and CCS installation.

  1. Run the following command:
    sysctl crypto.fips_enabled

    This should return:

    crypto.fips_enabled = 1
  2. Run the following command:
    echo greeting | openssl md5

    This command should fail, indicating that FIPS is enabled.

  3. Run the following command:
    read -r -d '' list_providers <<EOF
    p = java.security.Security.getProviders();
    for (i = 0; i < p.length; i++) { java.lang.System.out.println(p[i]); }
    EOF
    ${JAVA_HOME}/bin/jrunscript -e "$list_providers"

    This command should return the version numbers of the SafeLogic packages, for example:

    CCJ version 1.01
    SUN version 1.8
    SunRsaSign version 1.8
    SunEC version 1.8
    SunJSSE version 1.8
    SunJCE version 1.8
    SunJGSS version 1.8
    SunSASL version 1.8
    XMLDSig version 1.8
    SunPCSC version 1.8
  4. Run the following command:
    read -r -d '' do_maxAESKeyLength <<EOF
    java.lang.System.out.println(javax.crypto.Cipher.getMaxAllowedKeyLength("AES/CBC/PKCS5Padding"));
    EOF
    answer=`${JAVA_HOME}/bin/jrunscript -Dcom.safelogic.cryptocomply.fips.approved_only=true -e "$do_maxAESKeyLength"`
    echo $answer

    This command should return:

    2147483647

Step 5: Install and configure databases

  1. Configure the database in a FIPS-compliant manner. Consult the vendor documentation for your database for details.
  2. Enable the database for TLS/SSL clients, to ensure that all JDBC connections into these databases are FIPS compliant. Consult the vendor documentation for your database for details.
  3. Configure JDBC Driver in a FIPS compliant manner with TLS/SSL and BCFKS provided by CCJ JCE provider. Consult the following Cloudera Knowledge Base article for more information: Configuring SSL/TLS from the various CDH Services to their respective PostgreSQL Databases.
  4. Complete the setup of your databases for use with Cloudera Manager and Cloudera Runtime components. See Install and Configure PostgreSQL for CDP.