Prerequisites for using FIPS

About CDP with FIPS

Creating a new, fresh cluster is the only way to enable or disable FIPS.

Known Issues

See the Cloudera Manager release notes.

Unsupported Features

Upgrades are not currently supported to or from CDP with FIPS.

note
Upgrades that do not change FIPS status, i.e., CDP FIPS to CDP FIPS, are supported.
Replication is not currently supported.
MRIT localfs is not supported in FIPS environments where SHA2 compatibility is required.
If you are upgrading to Cloudera Runtime 7.1.8 from 7.1.7 SP1 + FIPS, the package manager enabled version does not support FIPS and many Runtime components may not start. To overcome this scenario, you must revert back to the original SafeLogic openssl-devel-y package.

System Requirements

Operating system:

RHEL/Centos 7.9 or RHEL 8.8. For more information, see Operating system requirements.
Java:

Support for FIPS + OpenJDK 8 or Oracle JDK 8 (started from Cloudera Runtime 7.1.9 and Cloudera Manager 7.11.3 release onwards).

Support for FIPS + OpenJDK 11 or Oracle JDK 11 (started from Cloudera Runtime 7.1.9 CHF3 and Cloudera Manager 7.11.3 CHF3 release onwards).

Support for FIPS + OpenJDK 17 (started from Cloudera Runtime 7.1.9 SP1 and Cloudera Manager 7.11.3 CHF7 release onwards). For more information, see Java requirements.
OpenJDK 8 versions: For FIPS the only required and tested versions are 1.8u231 and 1.8u232.
Install and configure a database. See Step 3. Install and Configure Databases

important
The only database supported for CDP with FIPS is PostgresSQL 10 (The embedded version of PostgreSQL is not supported).

caution
Cloudera requires disabling the fapolicyd daemon present in RHEL 8 (and later) systems before beginning installation of Cloudera Manager application. Be informed that fapolicyd is a user space daemon that determines access rights to files based on attributes of the process and file. It can be used to either blacklist or whitelist processes or file access. Proceed with caution with enforcing the use of this daemon. Improper configuration may render the system non-functional.

Supported CDP Versions

Cloudera Manager versions 7.2.4, 7.3.1, 7.4.4, 7.6.1, 7.7.1, 7.7.3, and 7.11.3
CDP Private Cloud Base versions 7.1.5, 7.1.6, 7.1.7, 7.1.7 SP1, 7.1.7 SP2, 7.1.8, 7.1.9, and 7.1.9 SP1.

Supported CDP Components

The following components are supported in FIPS mode:

Atlas
Avro
Cloudera Manager
Cruise Control
Hadoop
Hadoop Credential Provider
HDFS
HBase
Hive
Hive-on-Tez
Hive Meta Store
Hive Warehouse Connector
Hue
Iceberg
Impala
Kafka
Kerberos
Key Trustee Server
Knox
Kudu
Livy
MapReduce
OMID
Oozie
Parquet
Phoenix
Queue Manager
Ranger
Ranger KMS
Schema Registry
Streams Messaging Manager
Streams Replication Manager
Solr
Spark
Sqoop
Tez
TLS
YARN
Zeppelin
note
FIPS support for JDK11 in Zeppelin is available starting from Cloudera Manager 7.11.3 Cumulative hotfix 4
ZooKeeper
note

Navigator Encrypt is not FIPS-compliant.

Step 1: Prepare hosts

Cryptographic operations require entropy to ensure randomness.

Check the available entropy:

cat /proc/sys/kernel/random/entropy_avail must be always above 2k
- In order to keep the entropy high, install the below tools and keep them running:
  - rng-tools - For information about checking available entropy and using rng-tools, see "Entropy Requirements" in Data at Rest Encryption Requirements.
  - haveged - For information about using the haveged entropy daemon, see the haveged documentation.
note
Virtual Machines might have insufficient sources of entropy, which can cause extreme slowness of many Cloudera Manager and CDP operations even with rngd and haveged enabled. You might need to take the following additional hypervisor-level measures to provide enough entropy for strong cryptographic functions required for FIPS compliance:
- Ensure that the Hardware Random Number Generator (Hwrng) is enabled by setting disableHwrng to false
- Set different entropy sources if necessary
Configure the operating system for FIPS.
See, for RHEL 7:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-federal_standards_and_regulations.

See, for RHEL 8: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#switching-the-system-to-fips-mode_using-the-system-wide-cryptographic-policies
On all hosts, run one of the following commands to verify that FIPS mode is enabled:
```
cat /proc/sys/crypto/fips_enabled
sysctl crypto.fips_enabled
```
Configure a repository to install Cloudera Manager and other required packages.
1. On the Cloudera Manager server host, download the repository file for your operating system and version:
```
https://[username]:[password]@archive.cloudera.com/p/cm7/7.4.4/redhat7/yum/cloudera-manager.repo
```
2. Open the /etc/yum.repos.d/cloudera-manager.repo file in a text editor and replace the changeme placeholder values with your user name and password.
```
[cloudera-manager]
name=Cloudera Manager 7.4.4
baseurl=https://archive.cloudera.com/p/cm7/7.4.4/redhat7/yum/
gpgkey=https://archive.cloudera.com/p/cm7/7.4.4/redhat7/yum/
RPM-GPG-KEY-cloudera
username=changeme
password=changeme
gpgcheck=1
enabled=1
autorefresh=0
type=rpm-md
```
3. If your hosts do not have access to https://archive.cloudera.com, you will need to set up a local repository. See Configuring a Local Package Repository.
Manually install OpenJDK 8 / Oracle JDK 8 or OpenJDK 11 / Oracle JDK 11 / OpenJDK 17 (From Cloudera Runtime 7.1.9 SP1 release onwards) on all hosts.
- Installing OpenJDK for CDP Runtime
- Installing Oracle JDK for CDP Runtime

Download and Install CryptoComply for Java (CC for Java) SafeLogic - Java JCE Provider on all hosts:
For JDK 8:
1. Obtain the SafeLogic CC Java module JAR file.
2. Copy the ccj-3.0.2.1.jar file to $JAVA_HOME/jre/lib/ext.
3. Obtain the SafeLogic BCTLS Java module JAR file.
4. Copy the bctls-safelogic.jar file to $JAVA_HOME/jre/lib/ext.
5. Change the file permissions on both the ccj-3.0.2.1.jar and bctls-safelogic.jar files to root and 0644:
```
chown root: ${java_home}/jre/lib/ext/ccj-3.0.2.1.jar
chmod 0644 ${java_home}/jre/lib/ext/ccj-3.0.2.1.jar
chown root: ${java_home}/jre/lib/ext/bctls-safelogic.jar
chmod 0644 ${java_home}/jre/lib/ext/bctls-safelogic.jar
```
For JDK 11:
1. Obtain the SafeLogic CC Java module JAR file.
2. Copy the ccj-3.0.2.1.jar file to /path/of/your/choice/.
3. Obtain the SafeLogic BCTLS Java module JAR file.
4. Copy the bctls-safelogic.jar file to /path/of/your/choice/.
5. Change the file permissions on both the ccj-3.0.2.1.jar and bctls-safelogic.jar files to root and 0644:
```
chown root: /path/of/your/choice/ccj-3.0.2.1.jar
chmod 0644 /path/of/your/choice/ccj-3.0.2.1.jar
chown root: /path/of/your/choice/bctls-safelogic.jar
chmod 0644 /path/of/your/choice/bctls-safelogic.jar
```
  note
  the path /path/of/your/choice/ must be the same for both ccj-3.0.2.1.jar and bctls-safelogic.jar. Also, for JDK 11, you must complete steps 7,8, and 9.
For JDK 17: Follow the same instructions as provided for JDK 11.

Add the CCJ configuration to the $JAVA_HOME/jre/lib/security/java.policy file within the closed bracket as shown below:

//CCJ Java Permissions
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.util.PropertyPermission "java.runtime.name", "read";
permission java.security.SecurityPermission "putProviderProperty.CCJ";
//CCJ Key Export and Translation
permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "exportKeys";
//CCJ SSL
permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";
//CCJ Setting of Default SecureRandom
permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "defaultRandomConfig";
//CCJ Setting CryptoServicesRegistrar Properties
permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "globalConfig";
//CCJ Enable JKS
permission com.safelogic.cryptocomply.jca.enable_jks "true";
}

Edit the $JAVA_HOME/jre/lib/security/java.security file as follows:

note

Using yum install java-1.8.0-openjdk-devel on RHEL 8 will install a higher-than-recommended version of OpenJDK, such as 8u402, which should work with one adjustment to the java.security file. If "fips.provider" parameters exist in java.security, they must be replaced with the following:

#
# Security providers used when FIPS mode support is active
#
#fips.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.fips.cfg
#fips.provider.2=sun.security.provider.Sun
#fips.provider.3=sun.security.ec.SunEC
#fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS
fips.provider.1=com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider
fips.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:CCJ
fips.provider.3=sun.fips.provider.Sun
fips.provider.4=sun.security.rsa.SunRsaSign
fips.provider.5=sun.security.ec.SunEC
#fips.provider.6=com.sun.net.ssl.internal.ssl.Provider
fips.provider.6=com.sun.crypto.provider.SunJCE
fips.provider.7=sun.security.jgss.SunProvider
fips.provider.8=com.sun.security.sasl.Provider
fips.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI
#fips.provider.11=sun.security.smartcardio.SunPCSC

Add the following lines:

#
# List of providers and their preference orders (see above):
#
security.provider.1=com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:CCJ
security.provider.3=sun.security.provider.Sun
security.provider.4=sun.security.rsa.SunRsaSign
security.provider.5=sun.security.ec.SunEC
#security.provider.6=com.sun.net.ssl.internal.ssl.Provider
security.provider.6=com.sun.crypto.provider.SunJCE
security.provider.7=sun.security.jgss.SunProvider
security.provider.8=com.sun.security.sasl.Provider
security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI
#security.provider.11=sun.security.smartcardio.SunPCSC

Comment out the ssl.KeyManagerFactory.algorithm=SunX509 line and add a new line with the text ssl.KeyManagerFactory.algorithm=X.509.

#
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
#
#ssl.KeyManagerFactory.algorithm=SunX509
ssl.KeyManagerFactory.algorithm=X.509
ssl.TrustManagerFactory.algorithm=PKIX

ONLY for JDK 11 or above:

Make the following changes to the Cloudera Manager configuration:

Open /etc/default/cloudera-scm-server.

uncomment the below configs related to FIPS:

#
# Enable FIPS mode
#
# To enable FIPS mode set the -Dcom.cloudera.cmf.fipsMode to true
#
# export CMF_JAVA_OPTS="${CMF_JAVA_OPTS} -Dcom.cloudera.cmf.fipsMode=true"
#
# If JDK version is 11 or higher:
# Uncomment and provide values below to include CCJ with FIPS mode
# export CMF_JAVA_OPTS="${CMF_JAVA_OPTS} -Dcom.cloudera.cloudera.cmf.fipsMode.jdk11plus.ccj.jar.path=/path/to/ccj.jar -Dcom.cloudera.cloudera.cmf.fipsMode.jdk11plus.ccj.moduleName=ccj_module_name"
#
# If JDK version is 11 or higher:
# Uncomment and provide values below to include BCTLS with FIPS mode
# export CMF_JAVA_OPTS="${CMF_JAVA_OPTS} -Dcom.cloudera.cloudera.cmf.fipsMode.jdk11plus.bctls.jar.path=/path/to/bctls.jar -Dcom.cloudera.cloudera.cmf.fipsMode.jdk11plus.bctls.moduleName=bctls_module_name"
#

to

#
# Enable FIPS mode
#
# To enable FIPS mode set the -Dcom.cloudera.cmf.fipsMode to true
#
export CMF_JAVA_OPTS="${CMF_JAVA_OPTS} -Dcom.cloudera.cmf.fipsMode=true"
#
# If JDK version is 11 or higher:
# Uncomment and provide values below to include CCJ with FIPS mode
export CMF_JAVA_OPTS="${CMF_JAVA_OPTS} -Dcom.cloudera.cloudera.cmf.fipsMode.jdk11plus.ccj.jar.path=/path/of/your/choice/ccj-3.0.2.1.jar -Dcom.cloudera.cloudera.cmf.fipsMode.jdk11plus.ccj.moduleName=ccj_module_name"
#
# If JDK version is 11 or higher:
# Uncomment and provide values below to include BCTLS with FIPS mode
export CMF_JAVA_OPTS="${CMF_JAVA_OPTS} -Dcom.cloudera.cloudera.cmf.fipsMode.jdk11plus.bctls.jar.path=/path/of/your/choice/bctls-safelogic.jar -Dcom.cloudera.cloudera.cmf.fipsMode.jdk11plus.bctls.moduleName=bctls_module_name"
#

For example:

If the ccj jar file name is ccj-test-3.0.2.1.jar, then the module name becomes cj.test. The version numbers are ignored.

You can also find out what the module name would be, using the following command:

$ sudo ${JAVA_HOME}/bin/jar --file=/path/of/your/choice/ccj-test-3.0.2.1.jar --describe-module
No module descriptor found. Derived automatic module.

ccj.test@3.0.2.1 automatic <---- module Name is ccj.test
requires java.base mandated
contains com.safelogic.cryptocomply

To provide Livy Support on FIPS for JDK 11 and JDK 17 (From Cloudera Runtime 7.1.9 SP1 release onwards),

Add the following safety-valve settings for Spark cluster mode:

For SPARK_ON_YARN>GATEWAY role:

spark-conf/spark-env.sh_client_config_safety_valve

export SPARK_SUBMIT_OPTS="$SPARK_SUBMIT_OPTS --add-exports=java.base/sun.security.provider=bctls --add-exports=java.base/sun.security.provider=com.safelogic.cryptocomply.fips.core --add-modules=com.safelogic.cryptocomply.fips.core,bctls --module-path=<BCTLS_JARS_DIR>"

For SPARK3_ON_YARN > GATEWAY role:

spark3-conf/spark-env.sh_client_config_safety_valve

export SPARK_SUBMIT_OPTS="$SPARK_SUBMIT_OPTS --add-exports=java.base/sun.security.provider=bctls --add-exports=java.base/sun.security.provider=com.safelogic.cryptocomply.fips.core --add-modules=com.safelogic.cryptocomply.fips.core,bctls --module-path=<BCTLS_JARS_DIR>"

Where <BCTLS_JARS_DIR> is the directory containing the SafeLogic bctls and fips core jar files.

For Spark to work correctly on FIPS for JDK 11 or above:

Add the following safety-valve settings:

For SPARK_ON_YARN>GATEWAY role:

spark-conf/spark-defaults.conf_client_config_safety_valve

spark.yarn.am.extraJavaOptions=--add-exports=java.base/sun.security.provider=bctls --add-exports=java.base/sun.security.provider=com.safelogic.cryptocomply.fips.core --add-modules=com.safelogic.cryptocomply.fips.core,bctls --module-path=<BCTLS_JARS_DIR> -Dcom.safelogic.cryptocomply.fips.approved_only=true -Djava.net.preferIPv4Stack=true -Djdk.tls.ephemeralDHKeySize=2048 -Djdk.tls.trustNameService=true -Dorg.bouncycastle.jsse.client.assumeOriginalHostName=true
spark.driver.extraJavaOptions=--add-exports=java.base/sun.security.provider=bctls --add-exports=java.base/sun.security.provider=com.safelogic.cryptocomply.fips.core --add-modules=com.safelogic.cryptocomply.fips.core,bctls --module-path=<BCTLS_JARS_DIR> -Dcom.safelogic.cryptocomply.fips.approved_only=true -Djava.net.preferIPv4Stack=true -Djdk.tls.ephemeralDHKeySize=2048 -Djdk.tls.trustNameService=true -Dorg.bouncycastle.jsse.client.assumeOriginalHostName=true
spark.executor.extraJavaOptions=--add-exports=java.base/sun.security.provider=bctls --add-exports=java.base/sun.security.provider=com.safelogic.cryptocomply.fips.core --add-modules=com.safelogic.cryptocomply.fips.core,bctls --module-path=<BCTLS_JARS_DIR> -Dcom.safelogic.cryptocomply.fips.approved_only=true -Djava.net.preferIPv4Stack=true -Djdk.tls.ephemeralDHKeySize=2048 -Djdk.tls.trustNameService=true -Dorg.bouncycastle.jsse.client.assumeOriginalHostName=true

For SPARK3_ON_YARN > GATEWAY role:

spark3-conf/spark-defaults.conf_client_config_safety_valve

spark.yarn.am.extraJavaOptions=--add-exports=java.base/sun.security.provider=bctls --add-exports=java.base/sun.security.provider=com.safelogic.cryptocomply.fips.core --add-modules=com.safelogic.cryptocomply.fips.core,bctls --module-path=<BCTLS_JARS_DIR> -Dcom.safelogic.cryptocomply.fips.approved_only=true -Djava.net.preferIPv4Stack=true -Djdk.tls.ephemeralDHKeySize=2048 -Djdk.tls.trustNameService=true -Dorg.bouncycastle.jsse.client.assumeOriginalHostName=true
spark.driver.defaultJavaOptions=--add-exports=java.base/sun.security.provider=bctls --add-exports=java.base/sun.security.provider=com.safelogic.cryptocomply.fips.core --add-modules=com.safelogic.cryptocomply.fips.core,bctls --module-path=<BCTLS_JARS_DIR> -Dcom.safelogic.cryptocomply.fips.approved_only=true -Djava.net.preferIPv4Stack=true -Djdk.tls.ephemeralDHKeySize=2048 -Djdk.tls.trustNameService=true -Dorg.bouncycastle.jsse.client.assumeOriginalHostName=true
spark.executor.defaultJavaOptions=--add-exports=java.base/sun.security.provider=bctls --add-exports=java.base/sun.security.provider=com.safelogic.cryptocomply.fips.core --add-modules=com.safelogic.cryptocomply.fips.core,bctls --module-path=<BCTLS_JARS_DIR> -Dcom.safelogic.cryptocomply.fips.approved_only=true -Djava.net.preferIPv4Stack=true -Djdk.tls.ephemeralDHKeySize=2048 -Djdk.tls.trustNameService=true -Dorg.bouncycastle.jsse.client.assumeOriginalHostName=true

Where <BCTLS_JARS_DIR> is the directory containing the SafeLogic bctls and fips core jar files.

Step 2: Install and configure the SafeLogic modules and packages for RHEL 7 OS

For RHEL 7, install and configure SafeLogic packages.

important

RHEL 7: install and configure SafeLogic modules.: as described below
RHEL 8:: Skip this step. DO NOT install SafeLogic modules and packages.
OS-provided OpenSSL: Skip this step. DO NOT install SafeLogic modules and packages.

Please contact your Cloudera Sales or Support team to obtain the CDP PVC Base SafeLogic FIPS modules.

Installing the SafeLogic modules and packages may overwrite existing packages on your hosts. Cloudera recommends that you test any non-Cloudera software running on the host for correct functionality.

Obtain the CryptoComply for Libgcrypt (CC for Libgcrypt) and CryptoComply for Server (CC for Server) SafeLogic modules and packages.

Copy the CryptoComply for Server (CCS) - OpenSSL RPMs to all hosts.

Unzip the download.

Run the following command to install the packages.

yum localinstall -y openssl-1.0.2y-1.el7.centos.x86_64.rpm \
openssl-devel-1.0.2y-1.el7.centos.x86_64.rpm \
openssl-libs-1.0.2y-1.el7.centos.x86_64.rpm \
openssl-perl-1.0.2y-1.el7.centos.x86_64.rpm \
openssl-static-1.0.2y-1.el7.centos.x86_64.rpm

Copy the CryptoComply for Libgcrypt RPMs to all hosts.
1. Unzip the file.
2. Run the following command to install the packages.
```
yum localinstall -y libgcrypt-1.5.3-12.el7.centos.1.x86_64.rpm
```

Step 3: Install Cloudera Manager server

Log in to the Cloudera Manager server host.

Run the following command to install Cloudera Manager server.

sudo yum install cloudera-manager-daemons cloudera-manager-agent cloudera-manager-server

Add the following line at the end of the /etc/default/cloudera-scm-server file:

export CMF_JAVA_OPTS="${CMF_JAVA_OPTS} -Dcom.cloudera.cmf.fipsMode=true -Dcom.safelogic.cryptocomply.fips.approved_only=true"

Step 4: Validate the CCJ and CCS installation

Run the following commands on each host to validate the CCJ and CCS installation.

Run the following command:

sysctl crypto.fips_enabled

This should return:

crypto.fips_enabled = 1

Run the following command:
```
echo greeting | openssl md5
```
This command should fail, indicating that FIPS is enabled.
note
The next step differs for JDK 8 and JDK 11:

Run the following command:

JDK 8

Run the following command to verify the list of security providers in JDK 8

read -r -d '' list_providers <<EOF
p = java.security.Security.getProviders();
for (i = 0; i < p.length; i++) { java.lang.System.out.println(p[i]); }
EOF
${JAVA_HOME}/bin/jrunscript -e "$list_providers"

This command should return the version numbers of the SafeLogic packages, for example:

CCJ version 1.01
SUN version 1.8
SunRsaSign version 1.8
SunEC version 1.8
SunJSSE version 1.8
SunJCE version 1.8
SunJGSS version 1.8
SunSASL version 1.8
XMLDSig version 1.8
SunPCSC version 1.8

JDK 11 (Recommended)

Run the following command on the Cloudera Manager Server to verify the list of security providers in JDK 11, which grabs the chosen path for the ccj jar file (assume that the bctls file is in the same directory) and show providers with those modules added:

cat > ListSecurityProviders.java <<-EOF
import java.security.Provider;
import java.security.Security;

public class ListSecurityProviders {
 public static void main(String[] args) {
 Provider[] providers = Security.getProviders();
 for (Provider provider : providers) {
 System.out.println("Provider: " + provider.getName());
 System.out.println("Version: " + provider.getVersionStr());
 System.out.println("Info: " + provider.getInfo());
 System.out.println();
 }
 }
}
EOF
java -p $(grep ccj\.jar /etc/default/cloudera-scm-server | awk '{print $3}' | awk -F= '{print $2}' | sed -r 's/(.*)\/.*/\1/') ListSecurityProviders.java

The output will include the following providers if they are configured and referenced properly: for example:

Provider: CCJ
Version: <version>
Info: CryptoComply® for Java version <version>

Provider: BCJSSE
Version: <version>
Info: Bouncy Castle JSSE Provider Version <version>

For JDK 17: Follow the same instruction as provided for JDK 11.

Run the following command:

read -r -d '' do_maxAESKeyLength <<EOF
java.lang.System.out.println(javax.crypto.Cipher.getMaxAllowedKeyLength("AES/CBC/PKCS5Padding"));
EOF
answer=`${JAVA_HOME}/bin/jrunscript -Dcom.safelogic.cryptocomply.fips.approved_only=true -e "$do_maxAESKeyLength"`
echo $answer

This command should return:

2147483647

Step 5: Install and configure databases

Configure the database in a FIPS-compliant manner. Consult the vendor documentation for your database for details.
Enable the database for TLS/SSL clients, to ensure that all JDBC connections into these databases are FIPS compliant. Consult the vendor documentation for your database for details.
Configure JDBC Driver in a FIPS compliant manner with TLS/SSL and BCFKS provided by CCJ JCE provider. Consult the following Cloudera Knowledge Base article for more information: Configuring SSL/TLS from the various CDH Services to their respective PostgreSQL Databases.
Complete the setup of your databases for use with Cloudera Manager and Cloudera Runtime components. See Install and Configure PostgreSQL for CDP.

note
Starting 7.1.9 SP1, if you are using PostgreSQL as a backend database for Hue on a FIPS cluster, you must install a version of the psycopg2 package from the source to be at least 2.9.5 on all Hue hosts because the psycopg2-binary package uses its version of the libssl library file which does not support FIPS. See Installing the psycopg2 Python package for PostgreSQL database on a FIPS cluster (RHEL 8).