Before running srm-control in FIPS clusters that use JDK 11, you must set the
SRM_KERBEROS_OPTS environment variable in your shell environment to include various JVM
arguments. Otherwise, Kafka CLI tools will not run. Learn what JVM arguments you must set
and how you can set them.
-
In Cloudera Manager, go to .
-
Find the Extra JVM arguments for Java-based services
property and take note of its contents.
The property contains various JVM arguments. The content of the property is
similar to the following
example:
-Dcom.safelogic.cryptocomply.fips.approved_only=true \
-Djdk.tls.ephemeralDHKeySize=2048 -Dorg.bouncycastle.jsse.client.assumeOriginalHostName=true \
-Djdk.tls.trustNameService=true
-
Using
ssh
, log in to the cluster host where you want to run
the tool.
-
Set the
SRM_KERBEROS_OPTS
environment variable in your shell
environment.
SRM_KERBEROS_OPTS
must contain the JVM arguments present in
Extra JVM arguments for Java-based services as well
as the following additional
options:
--add-modules=com.safelogic.cryptocomply.fips.core,bctls \
--add-exports=java.base/sun.security.provider=com.safelogic.cryptocomply.fips.core \
--add-exports=java.base/sun.security.provider=bctls \
--module-path=/[***LOCATION***]\
Where
[***LOCATION***] is the absolute path to
the location where the SafeLogic CC
(
ccj-[***VERSION***].jar
) and
SafeLogic BCTLS (
bctls-safelogic.jar
) Java module JARs are
located.
The command you run to set
SRM_KERBEROS_OPTS
will be similar to the
following:
export SRM_KERBEROS_OPTS="-Dcom.safelogic.cryptocomply.fips.approved_only=true \
-Djdk.tls.ephemeralDHKeySize=2048 \
-Dorg.bouncycastle.jsse.client.assumeOriginalHostName=true \
-Djdk.tls.trustNameService=true --add-modules=com.safelogic.cryptocomply.fips.core,bctls \
--add-exports=java.base/sun.security.provider=com.safelogic.cryptocomply.fips.core \
--add-exports=java.base/sun.security.provider=bctls \
--module-path=/[***LOCATION***]"
-
Run the tool.