Prerequisites for using FIPS
This page provides comprehensive information regarding prerequisites that you must be aware of while using FIPS for CDP.
About CDP with FIPS
Creating a new, fresh cluster is the only way to enable or disable FIPS.
Known Issues
Unsupported Features
-
Upgrades are not currently supported to or from CDP with FIPS.
-
Replication is not currently supported.
- MRIT localfs is not supported in FIPS environments where SHA2 compatibility is required.
- If you are upgrading to Cloudera Runtime 7.1.8 from 7.1.7 SP1 + FIPS, the
package manager enabled version does not support FIPS and many Runtime
components may not start. To overcome this scenario, you must revert back to
the original SafeLogic
openssl-devel-y
package.
System Requirements
- Operating system: RHEL/Centos 7.9 or RHEL 8.8. For more information, see Operating system requirements
- Java: OpenJDK 8 / Oracle JDK 8 in any CDP 7.1.9 and CM 7.11.3 version, or OpenJDK 11 / Oracle JDK 11 starting in CDP 7.1.9 CHF 3 and CM 7.11.3 CHF 3 versions and higher, as designated with p3 or .3 suffixes. For more information, see Java requirements
- Support for FIPS + OpenJDK 17 (From Cloudera Runtime 7.1.9 SP1 release onwards).
- OpenJDK versions: For FIPS minimum required / latest version tested is 1.8u231.
- Install and configure a database. See Step 3. Install and Configure Databases
Supported CDP Versions
-
Cloudera Manager versions 7.2.4, 7.3.1, 7.4.4, 7.6.1, 7.7.1, 7.7.3, and 7.11.3
-
CDP Private Cloud Base versions 7.1.5, 7.1.6, 7.1.7, 7.1.7 SP1, 7.1.7 SP2, 7.1.8, 7.1.9, and 7.1.9 SP1.
Supported CDP Components
The following components are supported in FIPS mode:
- Atlas
- Avro
- Cloudera Manager
- Cruise Control
- Hadoop
- Hadoop Credential Provider
- HDFS
- HBase
- Hive
- Hive-on-Tez
- Hive Meta Store
- Hive Warehouse Connector
- Hue
- Iceberg
- Impala
- Kafka
- Kerberos
- Key Trustee Server
- Knox
- Kudu
- Livy
- MapReduce
- OMID
- Oozie
- Parquet
- Phoenix
- Queue Manager
- Ranger
- Ranger KMS
- Schema Registry
- Streams Messaging Manager
- Streams Replication Manager
- Solr
- Spark
- Sqoop
- Tez
- TLS
- YARN
- Zeppelin
- ZooKeeper
Step 1: Prepare hosts
Step 2: Install and configure the SafeLogic modules and packages for RHEL 7 OS
For RHEL 7, install and configure SafeLogic packages.
- Obtain the CryptoComply for Libgcrypt (CC for Libgcrypt) and CryptoComply for Server (CC for Server) SafeLogic modules and packages.
-
Copy the CryptoComply for Server (CCS) - OpenSSL RPMs to all hosts.
-
Copy the CryptoComply for Libgcrypt RPMs to all hosts.
Step 3: Install Cloudera Manager server
Step 4: Validate the CCJ and CCS installation
Run the following commands on each host to validate the CCJ and CCS installation.