Install and configure additional required components
Use the following steps to install additional required components for FIPS.
- Perform the Additional Steps for Apache Ranger.
-
Add Ranger to the Shadow group.
usermod -a -G shadow ranger
-
Install and Configure TLS either automatically or manually.
If you are using Auto-TLS, see:If you are manually configuring TLS, see:
Generate certificates in BCFKS format
The standard
keytool
utility distributed with the JDK can generate BCFKS formatted keystores using the CCJ security provider. When the CCJ security provider is statically installed into the JDK as previously described, there is no need to pass thekeytool
utility the-providerpath path/to/ccj-3.0.2.1.jar
or-providerclass com.safelogic.cryptocomply.jcajce.provider.ProvBCFKS
arguments. It is only necessary to passBCFKS
as the storetype for thekeytool
operation being invoked.For example,
keytool -importkeystore
can be used to import a PKCS12 keystore into a BCFKS keystore:keytool \ -importkeystore -v \ -srckeystore <pkcs12_keystore_file> \ -srcstoretype PKCS12 \ -srcstorepass <pkcs12_pass> \ -destkeystore <bcfks_keystore_file> \ -deststoretype BCFKS \ -deststorepass <bcfks_keystore_pass> \ -destkeypass <bcfks_key_pass>
Systems administrators and other platform implementers should consult their organization’s information systems security managers for the correct procedures for generating keypairs and requesting signing of x509 certificates. The Cloudera Data Platform requires the private key and signed certificate in both PEM encoded and BCFKS keystore format. The steps to accomplish this task might look similar to the following:
-
openssl genpkey
-
openssl req
- Have the CA sign the CSR.
-
Import the private key and signed certificate into a PKCS12
keystore:
openssl pkcs12
-
Import the PKCS12 keystore into a BCFKS keystore:
keytool -importkeystore
-
- Enable Kerberos authentication using the Cloudera Manager Kerberos wizard.
-
Set the
kdc_timeout
value in thekrb5.conf
file to a high enough setting to avoid client timeout errors while running queries.-
Open the
/etc/krb5.conf
file with a text editor. -
Under
[libdefaults]
, set thekdc_timeout
value to a minimum of 5000 (5 seconds).
-
Open the
- Install Apache Knox. See Installing Apache Knox.
-
Install Ranger KMS.
As Ranger KMS KTS and Key Trustee Server are not supported anymore, you need to migrate your encryption keys from Ranger KMS KTS and Key Trustee Server to Ranger KMS. For more information, see Key migration in UCL.
- Configure HDFS Transparent Data Encryption with Ranger KMS.