Step 1: Prepare hosts
Prepare the hosts for FIPS integration.
-
Cryptographic operations require entropy to ensure
randomness.
Check the available entropy by using the following
command:
cat /proc/sys/kernel/random/entropy_avail
- In order to keep the entropy high, install the following tools and keep
them running:
rng-tools
- For information about checking available entropy and using therng-tools
tool, see Entropy Requirements in Data at Rest Encryption Requirements.Install, enable, and start the
rng-tools
tool by using the following commands:-
sudo dnf install rng-tools
-
sudo systemctl enable rngd
-
sudo systemctl start rngd
-
haveged
, available in the Extra Packages for Enterprise Linus (EPEL) Repository - For instructions about using the haveged entropy daemon, see thehaveged
documentation.Install, enable, and start the havaged entropy daemon by using the following commands:
-
sudo dnf install haveged
-
sudo systemctl enable haveged
-
sudo systemctl start haveged
-
- In order to keep the entropy high, install the following tools and keep
them running:
- Configure the operating system for FIPS.
-
On all hosts, run one of the following commands to verify that FIPS mode is
enabled:
Expected output:cat /proc/sys/crypto/fips_enabled
crypto.fips_enabled = 1 (1 indicates FIPS enabled)
Expected output:sysctl crypto.fips_enabled
crypto.fips_enabled = 1 (1 indicates FIPS enabled)
-
Configure a repository to install Cloudera Manager and other required
packages.
-
On the Cloudera Manager server host, download the repository file for
your operating system and
version.
https://[username]:[password]@archive.cloudera.com/p/cm7/7.11.3/redhat8/yum/cloudera-manager.repo
-
Open the /etc/yum.repos.d/cloudera-manager.repo
file in a text editor and replace the
changeme
placeholder values with your user name and password.[cloudera-manager] name=Cloudera Manager 7.11.3 baseurl=https://archive.cloudera.com/p/cm7/7.11.3/redhat8/yum/ gpgkey=https://archive.cloudera.com/p/cm7/7.11.3/redhat8/yum/ RPM-GPG-KEY-cloudera username=changeme password=changeme gpgcheck=1 enabled=1 autorefresh=0 type=rpm-md
- If your hosts do not have access to https://archive.cloudera.com, you must set up a local repository. For instructions. see Configuring a Local Package Repository.
-
On the Cloudera Manager server host, download the repository file for
your operating system and
version.
-
Manually install OpenJDK 8
or
Oracle JDK 8
from
Cloudera Runtime 7.1.9 SP1 release
onwards),on
all hosts.
- For OpenJDK 8, see Installing OpenJDK for CDP Runtime.
- For Oracle JDK 8, see Installing Oracle JDK for CDP Runtime.
-
Download and Install CryptoComply for Java (CC for Java) SafeLogic - Java JCE
Provider on all
hosts.
- Obtain the SafeLogic CC Java module JAR file.
- Copy the ccj-3.0.2.1.jar file to the $JAVA_HOME/jre/lib/ext library.
- Obtain the SafeLogic BCTLS Java module JAR file.
- Copy the bctls-safelogic.jar file to the $JAVA_HOME/jre/lib/ext library.
-
Change the file permissions on both the
ccj-3.0.2.1.jar and
bctls-safelogic.jar files to
root
and0644
.chown root: ${java_home}/jre/lib/ext/ccj-3.0.2.1.jar chmod 0644 ${java_home}/jre/lib/ext/ccj-3.0.2.1.jar chown root: ${java_home}/jre/lib/ext/bctls-safelogic.jar chmod 0644 ${java_home}/jre/lib/ext/bctls-safelogic.jar
-
To configure
the
java.policy
policy, add the CCJ configuration to the bottom of the $JAVA_HOME/conf/security/java.policy file within the closed bracket-//CCJ Java Permissions permission java.lang.RuntimePermission "getProtectionDomain"; permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.util.PropertyPermission "java.runtime.name", "read"; permission java.security.SecurityPermission "putProviderProperty.CCJ"; //CCJ Key Export and Translation permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "exportKeys"; //CCJ SSL permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled"; //CCJ Setting of Default SecureRandom permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "defaultRandomConfig"; //CCJ Setting CryptoServicesRegistrar Properties permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "globalConfig"; //CCJ Enable JKS permission com.safelogic.cryptocomply.jca.enable_jks "true"; };
-
To configure
the
java.security
policy, edit the $JAVA_HOME/conf/security/java.security file.-
Comment out the default
fips.providers
line and add the following lines:# Security providers used when FIPS mode support is active # fips.provider.1=com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider fips.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:CCJ fips.provider.3=SUN fips.provider.4=SunRsaSign fips.provider.5=SunEC fips.provider.6=SunJSSE fips.provider.7=SunJCE fips.provider.8=SunJGSS fips.provider.9=SunSASL fips.provider.10=XMLDSig fips.provider.11=com.cloudera.security.sasl.ClouderaSaslProvider fips.provider.12=SunPCSC fips.provider.13=JdkLDAP fips.provider.14=JdkSASL
-
Comment out the
ssl.KeyManagerFactory.algorithm=SunX509
line and add a new line with thessl.KeyManagerFactory.algorithm=X.509
text.#Determines the default key and trust manager factory algorithms for # the javax.net.ssl package. # #ssl.KeyManagerFactory.algorithm=SunX509 ssl.KeyManagerFactory.algorithm=X.509 ssl.TrustManagerFactory.algorithm=PKIX
-
Comment out the default