Install and configure additional required components

Use the following steps to install additional required components for FIPS.

Perform the Additional Steps for Apache Ranger.
Add Ranger to the Shadow group.
```
usermod -a -G shadow ranger
```
Install and Configure TLS either automatically or manually.
If you are using Auto-TLS, see:
- Use case 1: Use Cloudera Manager to generate an internal CA and corresponding certificates
- Use case 2: Use an existing Certificate Authority
If you are manually configuring TLS, see:
- Manually Configuring TLS Encryption for Cloudera Manager
note
Additional manual TLS configuration steps may be required for stack components.
Generate certificates in BCFKS format

The standard keytool utility distributed with the JDK can generate BCFKS formatted keystores using the CCJ security provider. When the CCJ security provider is statically installed into the JDK as previously described, there is no need to pass the keytool utility the -providerpath path/to/ccj-3.0.2.1.jar or -providerclass com.safelogic.cryptocomply.jcajce.provider.ProvBCFKS arguments. It is only necessary to pass BCFKS as the storetype for the keytool operation being invoked.

For example, keytool -importkeystore can be used to import a PKCS12 keystore into a BCFKS keystore:
```
keytool \
    -importkeystore -v \
    -srckeystore <pkcs12_keystore_file> \
    -srcstoretype PKCS12 \
    -srcstorepass <pkcs12_pass> \
    -destkeystore <bcfks_keystore_file> \
    -deststoretype BCFKS \
    -deststorepass <bcfks_keystore_pass> \
    -destkeypass <bcfks_key_pass>
```
Systems administrators and other platform implementers should consult their organization’s information systems security managers for the correct procedures for generating keypairs and requesting signing of x509 certificates. The Cloudera requires the private key and signed certificate in both PEM encoded and BCFKS keystore format. The steps to accomplish this task might look similar to the following:
1. openssl genpkey
2. openssl req
3. Have the CA sign the CSR.
4. Import the private key and signed certificate into a PKCS12 keystore:
```
openssl pkcs12
```
5. Import the PKCS12 keystore into a BCFKS keystore:
```
keytool -importkeystore
```
Enable Kerberos authentication using the Cloudera Manager Kerberos wizard.
Set the kdc_timeout value in the krb5.conf file to a high enough setting to avoid client timeout errors while running queries.
1. Open the /etc/krb5.conf file with a text editor.
2. Under [libdefaults], set the kdc_timeout value to a minimum of 5000 (5 seconds).
Install Apache Knox. See Installing Apache Knox.
Install Ranger KMS.
As Ranger KMS KTS and Key Trustee Server are not supported anymore, you need to migrate your encryption keys from Ranger KMS KTS and Key Trustee Server to Ranger KMS. For more information, see Key migration in UCL.
note
Ranger KMS uses the PBEWithMD5AndTripleDES algorithm for key encryption, which is not FIPS-compliant. Hence, for FIPS-enabled clusters, the PBKDF2WithHmacSHA256 algorithm is used, which is FIPS-compliant. The existing keys have to be re-encrypted. The re-encryption process is as follows:
1. Decrypt the existing keys using the older PBEWithMD5AndTripleDES algorithm and retrieve the key material.
2. Then, encrypt the retrieved key material using the FIPS-compliant algorithm, PBKDF2WithHmacSHA256.
3. Finally store it in the service DB.
To decrypt the existing keys, the old PBEWithMD5AndTripleDES algorithm and the corresponding SunJCE provider are needed. After re-encryption using the FIPS-compliant algorithm, the older algorithm and the corresponding provider can be removed. This re-encryption happens when the Ranger KMS process starts.
Configure HDFS Transparent Data Encryption with Ranger KMS.