Functional adjustments and behavioral updates for Ranger KMS are introduced in Cloudera
Runtime 7.1.9 SP2.
Summary:
Earlier, Ranger KMS used the PBEWithMD5AndTripleDES
algorithm for key encryption. This algorithm is not FIPS compliant, and hence, full support
has been added to use FIPS-compliant algorithm, PBKDF2WithHmacSHA256, as well as the FIPS
complaint provider in FIPS-enabled clusters.
Fresh FIPS cluster:
Ranger KMS: Now Ranger KMS uses the combination of PBKDF2WithHmacSHA256 as KDF and
AES/CBC/PKCS7Padding as Cipher to encrypt/decrypt the MasterKey and Zonekeys.
Ranger Admin: Now Ranger Admin uses the combination of PBKDF2WithHmacSHA256 as KDF
and AES/CBC/PKCS7Padding as Cipher to encrypt/decrypt the service passwords.
Upgrade Cluster:
Existing keys were encrypted using non-compliant
algorithms. So, on restart of service after upgrade, re-encryption happens. The re-encryption
process is as follows:
Existing keys are decrypted using the older
PBEWithMD5AndTripleDES/PBEWITHHMACSHA512ANDAES_128 algorithm and the key material is
retrieved.
Then, the retrieved key material is encrypted using the FIPS-compliant algorithm,
PBKDF2WithHmacSHA256 and AES/CBC/PKCS7Padding.
Finally, the encrypted key material is stored in the service DB.
