Install and configure additional required components

Use the following steps to install additional required components for FIPS.

  1. Perform the Additional Steps for Apache Ranger.
  2. Add Ranger to the Shadow group.
    usermod -a -G shadow ranger
  3. Install and Configure TLS either automatically or manually.
    If you are manually configuring TLS, see:

    Generate certificates in BCFKS format

    The standard keytool utility distributed with the JDK can generate BCFKS formatted keystores using the CCJ security provider. When the CCJ security provider is statically installed into the JDK as previously described, there is no need to pass the keytool utility the -providerpath path/to/ccj- or -providerclass com.safelogic.cryptocomply.jcajce.provider.ProvBCFKS arguments. It is only necessary to pass BCFKS as the storetype for the keytool operation being invoked.

    For example, keytool -importkeystore can be used to import a PKCS12 keystore into a BCFKS keystore:

    keytool \
        -importkeystore -v \
        -srckeystore <pkcs12_keystore_file> \
        -srcstoretype PKCS12 \
        -srcstorepass <pkcs12_pass> \
        -destkeystore <bcfks_keystore_file> \
        -deststoretype BCFKS \
        -deststorepass <bcfks_keystore_pass> \
        -destkeypass <bcfks_key_pass>

    Systems administrators and other platform implementers should consult their organization’s information systems security managers for the correct procedures for generating keypairs and requesting signing of x509 certificates. The Cloudera Data Platform requires the private key and signed certificate in both PEM encoded and BCFKS keystore format. The steps to accomplish this task might look similar to the following:

    1. openssl genpkey
    2. openssl req
    3. Have the CA sign the CSR.
    4. Import the private key and signed certificate into a PKCS12 keystore:
      openssl pkcs12
    5. Import the PKCS12 keystore into a BCFKS keystore:
      keytool -importkeystore
  4. Enable Kerberos authentication using the Cloudera Manager Kerberos wizard.
  5. Set the kdc_timeout value in the krb5.conf file to a high enough setting to avoid client timeout errors while running queries.
    1. Open the /etc/krb5.conf file with a text editor.
    2. Under [libdefaults], set the kdc_timeout value to a minimum of 5000 (5 seconds).
  6. Install Apache Knox. See Installing Apache Knox.
  7. Install Ranger KMS with Key Trustee Server. See Installing Ranger KMS backed with a Key Trustee Server and HA
  8. Configure HDFS Transparent Data Encryption with Ranger KMS with Key Trustee Server.