Step 1: Prepare hosts
Prepare the hosts for FIPS integration.
-
Cryptographic operations require entropy to ensure
randomness.
Check the available entropy by using the following
command:
cat /proc/sys/kernel/random/entropy_avail
- In order to keep the entropy high, install the following tools and keep
them running:
rng-tools
- For information about checking available entropy and using therng-tools
tool, see Entropy Requirements in Data at Rest Encryption Requirements.Install, enable, and start the
rng-tools
tool by using the following commands:-
sudo dnf install rng-tools
-
sudo systemctl enable rngd
-
sudo systemctl start rngd
-
haveged
, available in the EPEL Repository - For instructions about using the haveged entropy daemon, see thehaveged
documentation.Install, enable, and start the havaged entropy daemon by using the following commands:
-
sudo dnf install haveged
-
sudo systemctl enable haveged
-
sudo systemctl start haveged
-
- In order to keep the entropy high, install the following tools and keep
them running:
- Configure the operating system for FIPS.
-
On all hosts, run one of the following commands to verify that FIPS mode is
enabled:
Expected output:cat /proc/sys/crypto/fips_enabled
crypto.fips_enabled = 1 (1 indicates FIPS enabled)
Expected output:sysctl crypto.fips_enabled
crypto.fips_enabled = 1 (1 indicates FIPS enabled)
-
Configure a repository to install Cloudera Manager and other required
packages.
-
On the Cloudera Manager server host, download the repository file for
your operating system and
version.
https://[username]:[password]@archive.cloudera.com/p/cm7/7.11.3/redhat8/yum/cloudera-manager.repo
-
Open the
/etc/yum.repos.d/cloudera-manager.repo
file in a text editor and replace thechangeme
placeholder values with your user name and password.[cloudera-manager] name=Cloudera Manager 7.11.3 baseurl=https://archive.cloudera.com/p/cm7/7.11.3/redhat8/yum/ gpgkey=https://archive.cloudera.com/p/cm7/7.11.3/redhat8/yum/ RPM-GPG-KEY-cloudera username=changeme password=changeme gpgcheck=1 enabled=1 autorefresh=0 type=rpm-md
- If your hosts do not have access to https://archive.cloudera.com, you must set up a local repository. For instructions, see Configuring a Local Package Repository.
-
On the Cloudera Manager server host, download the repository file for
your operating system and
version.
-
Manually install OpenJDK 11,
Oracle JDK
11,
or
OpenJDK 17
from
Cloudera Runtime 7.1.9 SP1 release
onwards
on all hosts.
- For OpenJDK 11 or 17, see Installing OpenJDK for CDP Runtime
- For Oracle JDK 11, see Installing Oracle JDK for CDP Runtime
-
Download and Install CryptoComply for Java (CC for Java) SafeLogic - Java JCE
Provider on all
hosts.
- Obtain the SafeLogic CC Java module JAR file.
- Create the sudo mkdir /opt/cloudera/fips/ directory.
- Copy the ccj-3.0.2.1.jar file to the /opt/cloudera/fips/ directory.
- Obtain the SafeLogic BCTLS Java module JAR file.
- Copy the bctls-safelogic.jar file to the /opt/cloudera/fips/ directory .
-
Change the file permissions on both the
ccj-3.0.2.1.jar and
bctls-safelogic.jar files to
root
and0644
.chown root: /opt/cloudera/fips/ccj-3.0.2.1.jar chmod 0644 /opt/cloudera/fips/ccj-3.0.2.1.jar chown root: /opt/cloudera/fips/bctls-safelogic.jar chmod 0644 /opt/cloudera/fips/bctls-safelogic.jar
-
Configure the Java environment variable.
-
Create
the
ccj.sh
file in
the
/etc/profile.d/
directory.
echo "export JDK_JAVA_OPTIONS='--module-path=/opt/cloudera/fips/ccj-3.0.2.1.jar:/opt/cloudera/fips/bctls.jar --add-exports java.base/sun.security.provider=com.safelogic.cryptocomply.fips.core --add-modules com.safelogic.cryptocomply.fips.core,bctls'" >/etc/profile.d/ccj.sh sudo chmod +x /etc/profile.d/ccj.sh
-
Create
the
ccj.sh
file in
the
/etc/profile.d/
directory.
-
Configure
the
java.policy
policy by adding the CCJ configuration to the bottom of the$JAVA_HOME/conf/security/java.policy
file within the closed bracket.//CCJ Java Permissions permission java.lang.RuntimePermission "getProtectionDomain"; permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.util.PropertyPermission "java.runtime.name", "read"; permission java.security.SecurityPermission "putProviderProperty.CCJ"; //CCJ Key Export and Translation permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "exportKeys"; //CCJ SSL permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled"; //CCJ Setting of Default SecureRandom permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "defaultRandomConfig"; //CCJ Setting CryptoServicesRegistrar Properties permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "globalConfig"; //CCJ Enable JKS permission com.safelogic.cryptocomply.jca.enable_jks "true"; };
-
Configure
the
java.security
policy by editing the $JAVA_HOME/jre/lib/security/java.security file.-
Add the following lines:
# # List of providers and their preference orders (see above): # security.provider.1=com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:CCJ security.provider.3=SUN security.provider.4=SunRsaSign security.provider.5=SunEC security.provider.6=SunJSSE security.provider.7=SunJCE security.provider.8=SunJGSS security.provider.9=SunSASL security.provider.10=XMLDSig security.provider.11=SunPCSC security.provider.12=JdkLDAP security.provider.13=JdkSASL
-
Comment out the default
fips.providers
line and add the following lines:# # Security providers used when FIPS mode support is active # #fips.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.fips.cfg #fips.provider.2=sun.security.provider.Sun #fips.provider.3=sun.security.ec.SunEC #fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS fips.provider.1=com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider fips.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:CCJ fips.provider.3=SUN fips.provider.4=SunRsaSign fips.provider.5=SunEC fips.provider.6=SunJSSE fips.provider.7=SunJCE fips.provider.8=SunJGSS fips.provider.9=SunSASL fips.provider.10=XMLDSig fips.provider.11=SunPCSC fips.provider.12=JdkLDAP fips.provider.13=JdkSASL
-
Comment out the
ssl.KeyManagerFactory.algorithm=SunX509
line and add a new line with thessl.KeyManagerFactory.algorithm=X.509
text.# Determines the default key and trust manager factory algorithms for # the javax.net.ssl package. # #ssl.KeyManagerFactory.algorithm=SunX509 ssl.KeyManagerFactory.algorithm=X.509 ssl.TrustManagerFactory.algorithm=PKIX
-
Add the following lines:
-
Make the following changes to the Cloudera Manager configuration:
-
Open the
/etc/default/cloudera-scm-server
file. -
Uncomment the following configurations related to FIPS:
# Enable FIPS mode # # To enable FIPS mode set the -Dcom.cloudera.cmf.fipsMode to true # export CMF_JAVA_OPTS="${CMF_JAVA_OPTS} -Dcom.cloudera.cmf.fipsMode=true" # # If JDK version is 11 or higher: # Uncomment and provide values below to include CCJ with FIPS mode export CMF_JAVA_OPTS="${CMF_JAVA_OPTS} -Dcom.cloudera.cloudera.cmf.fipsMode.jdk11plus.ccj.jar.path=/opt/cloudera/fips/ccj-3.0.2.1.jar -Dcom.cloudera.cloudera.cmf.fipsMode.jdk11plus.ccj.moduleName=ccj_module_name" # # If JDK version is 11 or higher: # Uncomment and provide values below to include BCTLS with FIPS mode export CMF_JAVA_OPTS="${CMF_JAVA_OPTS} -Dcom.cloudera.cloudera.cmf.fipsMode.jdk11plus.bctls.jar.path=/opt/cloudera/fips/bctls-safelogic.jar -Dcom.cloudera.cloudera.cmf.fipsMode.jdk11plus.bctls.moduleName=bctls_module_name"
For example:
If the ccj jar file name is ccj-test-3.0.2.1.jar, then the module name becomes cj.test. The version numbers are ignored.
Find out the module name using the following command
$ sudo ${JAVA_HOME}/bin/jar --file=/opt/cloudera/fips/ccj-test-3.0.2.1.jar --describe-module No module descriptor found. Derived automatic module. ccj.test@3.0.2.1 automatic <---- module Name is ccj.test requires java.base mandated contains com.safelogic.cryptocomply
-
Open the