This topic provides important background information about CDP running in FIPS-compliant mode via the use of FIPS 140-2 validated cryptographic modules.
The Federal Information Processing Standards (FIPS) publications are publicly available standards and guidelines jointly developed by the US government and industry, and issued by the National Institute of Standards and Technology (NIST) for use in information systems by Federal government agencies and government contractors.
Within the FIPS Publications, the FIPS Publication 140-2 (FIPS 140-2) is the standard for encryption modules. FIPS 140-2 specifies the security requirements that must be satisfied by a cryptographic module utilized within a security system protecting sensitive information. To ensure conformance with the FIPS 140-2 standard, cryptographic modules must first be validated as conforming to the FIPS 140-2 standard using the Cryptographic Module Validation Program (CMVP). Through the CMVP, validation of a cryptographic module for FIPS 140-2 conformance is conducted by independent Cryptographic and Security Testing (CST) laboratories that have been accredited by the National Voluntary Laboratory Accreditation Program (NVLAP). Following validation, cryptographic modules are issued validation certificates, and these modules can then be deployed by Federal agencies as part of information systems that require the protection of sensitive information. For additional details on the FIPS 140-2 Publication and standard, see Security Requirements for Cryptographic Modules.
While the FIPS 140-2 standard has been broadly adopted, in the United States the FIPS 140-2 standard is leveraged in several government security compliance and accreditation mandates and frameworks, including FISMA, FedRAMP, and DISA Security Technical Implementation Guides (STIG). Within many of these compliance and accreditation mandates, it is specified that FIPS validated cryptography must be used at a minimum when encryption is employed within an information system. These mandates also specify that FIPS-validated cryptography should be used in a compliant manner consistent with the standard and mandates. As a result, system operators are typically required to:
- Enable FIPS mode within an operating system (OS) used in the information system (e.g., RHEL and CentOS), to ensure that the OS is configured to be compliant with the FIPS 140-2 standard, and to enforce the use of FIPS-approved keystores, algorithms, and strengths with FIPS 140-2 validated cryptographic modules.
- With respect to the application running on top of the OS, ensure that FIPS 140-2 validated cryptographic modules are used with the application. In addition, configure the application to be compliant with the FIPS 140-2 standard as well as the government security compliance and applicable accreditation mandate or framework. This typically includes employing the use of FIPS-approved keystores and algorithms with FIPS 140-2 validated cryptographic modules, as well as employing strong authentication, authorization, audit, data governance, in-transient data encryption, and at-rest data encryption features.
Beginning with CDP Private Cloud Base version 7.1.5, CDP Private Cloud Base can be configured to operate in a FIPS-compliant mode by leveraging FIPS 140-2 validated cryptographic modules. Cloudera has accomplished this by supporting the deployment of the CDP Private Cloud Base platform on a FIPS-mode enabled Operating System (e.g., RHEL or CentOS) that is integrated with FIPS 140-2 validated cryptography modules.
SafeLogic provides Cloudera with supported FIPS 140-2 validated modules that have been approved through the NIST CMVP. These modules replace JCE (Java Cryptographic Extension) providers (such as Bouncy Castle), OpenSSL, NSS, and Libgcrypt cryptographic libraries.
The SafeLogic CryptoComply modules are bundled with the CDP Private Cloud Base 7.x FIPS release as separately licensed downloads from the Cloudera Manager (CM) and Cloudera Runtime/CDH RPMs/Parcels via Cloudera's authenticated repositories. The SafeLogic CryptoComply modules are as follows:
CryptoComply for Server (CCS) - OpenSSL RPMs
CryptoComply for Java (CCJ) - Java Cryptography Extension JAR
CryptoComply for Libgcrypt RPMs
Cloudera has integrated these FIPS-validated libraries with the CDP Private Cloud Base platform through installation and runtime configuration of the CDP Private Cloud Base platform. You must install the SafeLogic CryptoComply modules on the applicable operating system, configured in FIPS mode, and then configure CDP Private Cloud Base to use these modules in a FIPS-compliant manner.
Beginning with version 7.1.5, CDP Private Cloud Base is capable of running in a FIPS-compliant mode. Cloudera currently supports a subset of platform components and features running on a FIPS-compliant operating system. Cloudera does not guarantee that the platform components themselves are FIPS 140-2 compliant. However, future releases of CDP Private Cloud Base will replace non-compliant platform components and features with fully compliant FIPS 140-2 implementations.
Given that the use of CDP Private Cloud Base security features within regulated government environments is commonplace, these features should be configurable to be compliant with the FIPS 140-2 standard, as well as the applicable government security compliance and accreditation mandate or framework. This typically includes the use of FIPS-approved keystores and algorithms with FIPS 140-2 validated cryptographic modules, strong authentication, authorization, audit, data governance, in-transient data encryption, and at-rest data encryption features. Cloudera recommends the use of the following components as described in the installation documentation:
Encryption in-motion using TLS (Auto-TLS support).
Encryption at-rest with HDFS Transparent Data Encryption (TDE), Ranger KMS, and Key Trustee Server as the backend keystore.
Strong authentication with Kerberos and Apache Knox.
Authorization, audit, and data governance with Apache Ranger and Apache Atlas.
CDP Private Cloud Base version 7.1.7 with FIPS-compliant mode is currently only available for new installations. Upgrades are not currently supported to CDP Private Cloud Base with FIPS features enabled. A future CDP Private Cloud Base release will add upgrade support from CDP Private Cloud Base 7.1.7 deployments with FIPS features enabled.
Cloudera is not responsible for providing instructions for enabling FIPS mode on a RHEL or CentOS-based operating system, or instructions on configuring the required external databases in a FIPS 140-2 compliant manner. Please consult the vendor documentation for your database for details.
The supported platform components and features and all limitations with this release are documented in the Prerequisites section.
In summary, the ability to run CDP Private Cloud Base in a FIPS 140-2 compliant mode allows CDP Private Cloud Base FIPS platform customers to improve conformance with their compliance and accreditation standards within their information systems..