Before running Kafka CLI tools in FIPS clusters that use JDK 11, you must set the
KAFKA_OPTS environment variable in your shell environment to include various JVM arguments.
Otherwise, Kafka CLI tools will not run. Learn what JVM arguments you must set and how you
can set them.
-
In Cloudera Manager, go to .
-
Find the Extra JVM arguments for Java-based services
property and take note of its contents.
The property contains various JVM arguments. The content of the property is
similar to the following
example:
-Dcom.safelogic.cryptocomply.fips.approved_only=true \
-Djdk.tls.ephemeralDHKeySize=2048 -Dorg.bouncycastle.jsse.client.assumeOriginalHostName=true \
-Djdk.tls.trustNameService=true
-
Using
ssh, log in to the cluster host where you want to run
the tool.
-
Set the
KAFKA_OPTS environment variable in your shell
environment.
KAFKA_OPTS must contain the JVM arguments present in
Extra JVM arguments for Java-based services as well
as the following additional
options:
--add-modules=com.safelogic.cryptocomply.fips.core,bctls \
--add-exports=java.base/sun.security.provider=com.safelogic.cryptocomply.fips.core \
--add-exports=java.base/sun.security.provider=bctls \
--module-path=/[***LOCATION***]\
Where
[***LOCATION***] is the absolute path to
the location where the SafeLogic CC
(
ccj-[***VERSION***].jar) and
SafeLogic BCTLS (
bctls-safelogic.jar) Java module JARs are
located.
The command you run to set
KAFKA_OPTS will be
similar to the
following:
export KAFKA_OPTS="-Dcom.safelogic.cryptocomply.fips.approved_only=true \
-Djdk.tls.ephemeralDHKeySize=2048 \
-Dorg.bouncycastle.jsse.client.assumeOriginalHostName=true \
-Djdk.tls.trustNameService=true --add-modules=com.safelogic.cryptocomply.fips.core,bctls \
--add-exports=java.base/sun.security.provider=com.safelogic.cryptocomply.fips.core \
--add-exports=java.base/sun.security.provider=bctls \
--module-path=/[***LOCATION***]"
-
Run the tool.
