Step 3: Validate the CCJ and CCS installations

Run the following commands on each host to validate the CryptoComply for Java (CCJ) and CryptoComply for Server (CCS) installation.

  1. Run the following command:
    sysctl crypto.fips_enabled

    Expected output:

    crypto.fips_enabled = 1
  2. Run the following command:
    echo greeting | openssl md5

    This command must fail, indicating that FIPS is enabled.

  3. Verify the list of security providers in JDK 11 and show providers with the added modules by running the following command on the Cloudera Manager server:

    The command grabs the chosen path for the ccj jar file (assume that the bctls file is in the same directory).

    cat > ListSecurityProviders.java <<-EOF
    import java.security.Provider;
    import java.security.Security;
    
    public class ListSecurityProviders {
     public static void main(String[] args) {
     Provider[] providers = Security.getProviders();
     for (Provider provider : providers) {
     System.out.println("Provider: " + provider.getName());
     System.out.println("Version: " + provider.getVersionStr());
     System.out.println("Info: " + provider.getInfo());
     System.out.println();
     }
     }
    }
    EOF
    
    java -p /directory/chosen/for/ccj-bctls/jars/ ListSecurityProviders.java

    The output includes the providers if they are configured and referenced properly. For example,

    Provider: CCJ
    Version: <version>
    Info: CryptoComply® for Java version <version>
    
    Provider: BCJSSE
    Version: <version>
    Info: Bouncy Castle JSSE Provider Version <version>
  4. Run the following command:
    read -r -d '' do_maxAESKeyLength <<EOF
    java.lang.System.out.println(javax.crypto.Cipher.getMaxAllowedKeyLength("AES/CBC/PKCS5Padding"));
    EOF
    answer=`${JAVA_HOME}/bin/jrunscript -Dcom.safelogic.cryptocomply.fips.approved_only=true -e "$do_maxAESKeyLength"`
    echo $answer
    
    Expected output:
    2147483647
Install and configure databases