Step 3: Validate the CCJ and CCS installations
Run the following commands on each host to validate the CryptoComply for Java (CCJ) and CryptoComply for Server (CCS) installation.
-
Run the following command:
sysctl crypto.fips_enabled
Expected output:
crypto.fips_enabled = 1
-
Run the following command:
echo greeting | openssl md5
This command must fail, indicating that FIPS is enabled.
-
Verify the
list of security providers in JDK 11 and show providers with the added modules
by
running
the following
command on
the Cloudera Manager server:
The command grabs the chosen path for the ccj jar file (assume that the bctls file is in the same directory).
cat > ListSecurityProviders.java <<-EOF import java.security.Provider; import java.security.Security; public class ListSecurityProviders { public static void main(String[] args) { Provider[] providers = Security.getProviders(); for (Provider provider : providers) { System.out.println("Provider: " + provider.getName()); System.out.println("Version: " + provider.getVersionStr()); System.out.println("Info: " + provider.getInfo()); System.out.println(); } } } EOF
java -p /directory/chosen/for/ccj-bctls/jars/ ListSecurityProviders.java
The output includes the providers if they are configured and referenced properly. For example,
Provider: CCJ Version: <version> Info: CryptoComply® for Java version <version> Provider: BCJSSE Version: <version> Info: Bouncy Castle JSSE Provider Version <version>
-
Run the following command:
Expected output:read -r -d '' do_maxAESKeyLength <<EOF java.lang.System.out.println(javax.crypto.Cipher.getMaxAllowedKeyLength("AES/CBC/PKCS5Padding")); EOF answer=`${JAVA_HOME}/bin/jrunscript -Dcom.safelogic.cryptocomply.fips.approved_only=true -e "$do_maxAESKeyLength"` echo $answer
2147483647