Configuring srm-control in FIPS clusters

Before running srm-control in FIPS clusters that use JDK 11, you must set the SRM_KERBEROS_OPTS environment variable in your shell environment to include various JVM arguments. Otherwise, Kafka CLI tools will not run. Learn what JVM arguments you must set and how you can set them.

  • The following configuration is not required if your cluster uses JDK 8.
  • Ensure that you know the location of the following SafeLogic Java modules (JAR files):
    • SafeLogic CC Java module – ccj-[***VERSION***].jar
    • SafeLogic BCTLS Java module – bctls-safelogic.jar

    These JAR files are deployed on all cluster hosts at a location of your choosing. You can choose the location during cluster installation. Both JARs are located in the same directory.

  1. In Cloudera Manager, go to Administration > Settings.
  2. Find the Extra JVM arguments for Java-based services property and take note of its contents.
    The property contains various JVM arguments. The content of the property is similar to the following example:
    -Dcom.safelogic.cryptocomply.fips.approved_only=true \
    -Djdk.tls.ephemeralDHKeySize=2048 -Dorg.bouncycastle.jsse.client.assumeOriginalHostName=true \
    -Djdk.tls.trustNameService=true
  3. Using ssh, log in to the cluster host where you want to run the tool.
  4. Set the SRM_KERBEROS_OPTS environment variable in your shell environment.
    SRM_KERBEROS_OPTS must contain the JVM arguments present in Extra JVM arguments for Java-based services as well as the following additional options:
    --add-modules=com.safelogic.cryptocomply.fips.core,bctls \
    --add-exports=java.base/sun.security.provider=com.safelogic.cryptocomply.fips.core \
    --add-exports=java.base/sun.security.provider=bctls \
    --module-path=/[***LOCATION***]\
    
    Where [***LOCATION***] is the absolute path to the location where the SafeLogic CC (ccj-[***VERSION***].jar) and SafeLogic BCTLS (bctls-safelogic.jar) Java module JARs are located.
    The command you run to set SRM_KERBEROS_OPTS will be similar to the following:
    export SRM_KERBEROS_OPTS="-Dcom.safelogic.cryptocomply.fips.approved_only=true \
    -Djdk.tls.ephemeralDHKeySize=2048 \
    -Dorg.bouncycastle.jsse.client.assumeOriginalHostName=true \
    -Djdk.tls.trustNameService=true --add-modules=com.safelogic.cryptocomply.fips.core,bctls \
    --add-exports=java.base/sun.security.provider=com.safelogic.cryptocomply.fips.core \
    --add-exports=java.base/sun.security.provider=bctls \
    --module-path=/[***LOCATION***]"
  5. Run the tool.