Step 1: Prepare hosts

Prepare the hosts for FIPS integration.

  1. Cryptographic operations require entropy to ensure randomness. Check the available entropy by using the following command:
    cat /proc/sys/kernel/random/entropy_avail
    • In order to keep the entropy high, install the following tools and keep them running:
      • rng-tools - For information about checking available entropy and using the rng-tools tool, see Entropy Requirements in Data at Rest Encryption Requirements.

        Install, enable, and start the rng-tools tool by using the following commands:

        1. sudo dnf install rng-tools
        2. sudo systemctl enable rngd
        3. sudo systemctl start rngd
      • haveged, available in the EPEL Repository - For instructions about using the haveged entropy daemon, see the haveged documentation.

        Install, enable, and start the havaged entropy daemon by using the following commands:

        1. sudo dnf install haveged
        2. sudo systemctl enable haveged
        3. sudo systemctl start haveged
  2. Configure the operating system for FIPS.
  3. On all hosts, run one of the following commands to verify that FIPS mode is enabled:
    cat /proc/sys/crypto/fips_enabled
    Expected output:
    crypto.fips_enabled = 1 (1 indicates FIPS enabled)
    sysctl crypto.fips_enabled
    Expected output:
    crypto.fips_enabled = 1 (1 indicates FIPS enabled)
  4. Configure a repository to install Cloudera Manager and other required packages.
    1. On the Cloudera Manager server host, download the repository file for your operating system and version.
      https://[username]:[password]@archive.cloudera.com/p/cm7/7.11.3/redhat8/yum/cloudera-manager.repo
    2. Open the /etc/yum.repos.d/cloudera-manager.repo file in a text editor and replace the changeme placeholder values with your user name and password.
      [cloudera-manager]
      name=Cloudera Manager 7.11.3
      baseurl=https://archive.cloudera.com/p/cm7/7.11.3/redhat8/yum/
      gpgkey=https://archive.cloudera.com/p/cm7/7.11.3/redhat8/yum/
      RPM-GPG-KEY-cloudera
      username=changeme
      password=changeme
      gpgcheck=1
      enabled=1
      autorefresh=0
      type=rpm-md
    3. If your hosts do not have access to https://archive.cloudera.com, you must set up a local repository. For instructions, see Configuring a Local Package Repository.
  5. Manually install OpenJDK 11, Oracle JDK 11, or OpenJDK 17 from Cloudera Runtime 7.1.9 SP1 release onwards on all hosts.
  6. Download and Install CryptoComply for Java (CC for Java) SafeLogic - Java JCE Provider on all hosts.
    1. Obtain the SafeLogic CC Java module JAR file.
    2. Create the sudo mkdir /opt/cloudera/fips/ directory.
    3. Copy the ccj-3.0.2.1.jar file to the /opt/cloudera/fips/ directory.
    4. Obtain the SafeLogic BCTLS Java module JAR file.
    5. Copy the bctls-safelogic.jar file to the /opt/cloudera/fips/ directory .
    6. Change the file permissions on both the ccj-3.0.2.1.jar and bctls-safelogic.jar files to root and 0644.
      chown root: /opt/cloudera/fips/ccj-3.0.2.1.jar
      chmod 0644 /opt/cloudera/fips/ccj-3.0.2.1.jar
      chown root: /opt/cloudera/fips/bctls-safelogic.jar
      chmod 0644 /opt/cloudera/fips/bctls-safelogic.jar
      
  7. Configure the Java environment variable.
    1. Create the ccj.sh file in the /etc/profile.d/ directory.
      echo "export 
      JDK_JAVA_OPTIONS='--module-path=/opt/cloudera/fips/ccj-3.0.2.1.jar:/opt/cloudera/fips/bctls.jar   
      --add-exports java.base/sun.security.provider=com.safelogic.cryptocomply.fips.core   
      --add-modules com.safelogic.cryptocomply.fips.core,bctls'" >/etc/profile.d/ccj.sh
      sudo chmod +x /etc/profile.d/ccj.sh
      
  8. Configure the java.policy policy by adding the CCJ configuration to the bottom of the $JAVA_HOME/conf/security/java.policy file within the closed bracket.
    //CCJ Java Permissions
    permission java.lang.RuntimePermission "getProtectionDomain";
    permission java.lang.RuntimePermission "accessDeclaredMembers";
    permission java.util.PropertyPermission "java.runtime.name", "read";
    permission java.security.SecurityPermission "putProviderProperty.CCJ";
    //CCJ Key Export and Translation
    permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "exportKeys";
    //CCJ SSL
    permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";
    //CCJ Setting of Default SecureRandom
    permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "defaultRandomConfig";
    //CCJ Setting CryptoServicesRegistrar Properties
    permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "globalConfig";
    //CCJ Enable JKS
    permission com.safelogic.cryptocomply.jca.enable_jks "true";
    };
    
  9. Configure the java.security policy by editing the $JAVA_HOME/jre/lib/security/java.security file.
    1. Add the following lines:
      #
      # List of providers and their preference orders (see above):
      #
      security.provider.1=com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider
      security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:CCJ
      security.provider.3=SUN
      security.provider.4=SunRsaSign
      security.provider.5=SunEC
      security.provider.6=SunJSSE
      security.provider.7=SunJCE
      security.provider.8=SunJGSS
      security.provider.9=SunSASL
      security.provider.10=XMLDSig
      security.provider.11=SunPCSC
      security.provider.12=JdkLDAP
      security.provider.13=JdkSASL
      
    2. Comment out the default fips.providers line and add the following lines:
      #
      # Security providers used when FIPS mode support is active
      #
      #fips.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.fips.cfg
      #fips.provider.2=sun.security.provider.Sun
      #fips.provider.3=sun.security.ec.SunEC
      #fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS
      fips.provider.1=com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider
      fips.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:CCJ
      fips.provider.3=SUN
      fips.provider.4=SunRsaSign
      fips.provider.5=SunEC
      fips.provider.6=SunJSSE
      fips.provider.7=SunJCE
      fips.provider.8=SunJGSS
      fips.provider.9=SunSASL
      fips.provider.10=XMLDSig
      fips.provider.11=SunPCSC
      fips.provider.12=JdkLDAP
      fips.provider.13=JdkSASL
      
    3. Comment out the ssl.KeyManagerFactory.algorithm=SunX509 line and add a new line with the ssl.KeyManagerFactory.algorithm=X.509 text.
      # Determines the default key and trust manager factory algorithms for
      # the javax.net.ssl package.
      #
      #ssl.KeyManagerFactory.algorithm=SunX509
      ssl.KeyManagerFactory.algorithm=X.509
      ssl.TrustManagerFactory.algorithm=PKIX
      
  10. Make the following changes to the Cloudera Manager configuration:
    1. Open the /etc/default/cloudera-scm-server file.
    2. Uncomment the following configurations related to FIPS:
      # Enable FIPS mode
      #
      # To enable FIPS mode set the -Dcom.cloudera.cmf.fipsMode to true
      #
      export CMF_JAVA_OPTS="${CMF_JAVA_OPTS} -Dcom.cloudera.cmf.fipsMode=true"
      #
      # If JDK version is 11 or higher:
      # Uncomment and provide values below to include CCJ with FIPS mode
      export CMF_JAVA_OPTS="${CMF_JAVA_OPTS} 
      -Dcom.cloudera.cloudera.cmf.fipsMode.jdk11plus.ccj.jar.path=/opt/cloudera/fips/ccj-3.0.2.1.jar 
      -Dcom.cloudera.cloudera.cmf.fipsMode.jdk11plus.ccj.moduleName=ccj_module_name"
      #
      # If JDK version is 11 or higher:
      # Uncomment and provide values below to include BCTLS with FIPS mode
      export CMF_JAVA_OPTS="${CMF_JAVA_OPTS} 
      -Dcom.cloudera.cloudera.cmf.fipsMode.jdk11plus.bctls.jar.path=/opt/cloudera/fips/bctls-safelogic.jar 
      -Dcom.cloudera.cloudera.cmf.fipsMode.jdk11plus.bctls.moduleName=bctls_module_name"
      

    For example:

    If the ccj jar file name is ccj-test-3.0.2.1.jar, then the module name becomes cj.test. The version numbers are ignored.

    Find out the module name using the following command

    $ sudo ${JAVA_HOME}/bin/jar --file=/opt/cloudera/fips/ccj-test-3.0.2.1.jar --describe-module
    No module descriptor found. Derived automatic module.
    ccj.test@3.0.2.1 automatic <---- module Name is ccj.test
    requires java.base mandated contains com.safelogic.cryptocomply
    
Install Cloudera Manager Server