Prerequisites for using FIPS

This page provides comprehensive information regarding prerequisites that you must be aware of while using FIPS for CDP.

About CDP with FIPS

Creating a new, fresh cluster is the only way to enable or disable FIPS.

Unsupported Features

  • Upgrades are not currently supported to or from CDP with FIPS.

  • Replication is not currently supported.

  • MRIT localfs is not supported in FIPS environments where SHA2 compatibility is required.

System Requirements

  • Operating system:

    RHEL or RHEL 8.8. For more information, see Operating system requirements.

  • Java:

    Support for FIPS + OpenJDK 8 or Oracle JDK 8.

    Support for FIPS + OpenJDK 11 or Oracle JDK 11.

    Support for FIPS + OpenJDK 17. For more information, see Java requirements.

  • OpenJDK 8 versions: For FIPS the only required and tested versions are 1.8u231 and 1.8u232.
  • Install and configure a database. See Install and Configure Databases

Supported CDP Versions

  • Cloudera Manager versions 7.2.4, 7.3.1, 7.4.4, 7.6.1, 7.7.1, 7.7.3, 7.11.3, and 7.13.1.

  • CDP Private Cloud Base versions 7.1.5, 7.1.6, 7.1.7, 7.1.7 SP1, 7.1.7 SP2, 7.1.8, 7.1.9, 7.1.9 SP1, and 7.3.1.

Supported CDP Components

The following components are supported in FIPS mode:

  • Atlas
  • Avro
  • Cloudera Manager
  • Cruise Control
  • Hadoop
  • Hadoop Credential Provider
  • HDFS
  • HBase
  • Hive
  • Hive-on-Tez
  • Hive Meta Store
  • Hive Warehouse Connector
  • Hue
  • Iceberg
  • Impala
  • Kafka
  • Kerberos
  • Knox
  • Kudu
  • Livy
  • MapReduce
  • OMID
  • Oozie
  • Parquet
  • Phoenix
  • Queue Manager
  • Ranger
  • Ranger KMS
  • Schema Registry
  • Streams Messaging Manager
  • Streams Replication Manager
  • Solr
  • Spark
  • Sqoop
  • Tez
  • TLS
  • YARN
  • ZooKeeper

Step 1: Prepare hosts

  1. Cryptographic operations require entropy to ensure randomness.

    Check the available entropy:

    cat /proc/sys/kernel/random/entropy_avail must be always above 2k

    • In order to keep the entropy high, install the below tools and keep them running:
  2. Configure the operating system for FIPS.
  3. On all hosts, run one of the following commands to verify that FIPS mode is enabled:
    cat /proc/sys/crypto/fips_enabled
    sysctl crypto.fips_enabled
  4. Configure a repository to install Cloudera Manager and other required packages.
    1. On the Cloudera Manager server host, download the repository file for your operating system and version:
      https://[username]:[password]@archive.cloudera.com/p/cm7/7.13.1.0/redhat8/yum/cloudera-manager.repo
    2. Open the /etc/yum.repos.d/cloudera-manager.repo file in a text editor and replace the changeme placeholder values with your user name and password.
      [cloudera-manager]
      name=Cloudera Manager 7.13.1.0
      baseurl=https://archive.cloudera.com/p/cm7/7.13.1.0/redhat8/yum/
      gpgkey=https://archive.cloudera.com/p/cm7/7.13.1.0/redhat8/yum/RPM-GPG-KEY-cloudera
      username=changeme
      password=changeme
      gpgcheck=1
      enabled=1
      autorefresh=0
      type=rpm-md
    3. If your hosts do not have access to https://archive.cloudera.com, you will need to set up a local repository. See Configuring a Local Package Repository.
  5. Manually install OpenJDK 8 / Oracle JDK 8 or OpenJDK 11 / Oracle JDK 11 / OpenJDK 17 on all hosts.
  1. Download and Install CryptoComply for Java (CC for Java) SafeLogic - Java JCE Provider on all hosts:
    For JDK 8:
    1. Obtain the SafeLogic CC Java module JAR file.
    2. Copy the ccj-3.0.2.1.jar file to $JAVA_HOME/jre/lib/ext.
    3. Obtain the SafeLogic BCTLS Java module JAR file.
    4. Copy the bctls-safelogic.jar file to $JAVA_HOME/jre/lib/ext.
    5. Change the file permissions on both the ccj-3.0.2.1.jar and bctls-safelogic.jar files to root and 0644:
      chown root: ${java_home}/jre/lib/ext/ccj-3.0.2.1.jar
      chmod 0644 ${java_home}/jre/lib/ext/ccj-3.0.2.1.jar
      chown root: ${java_home}/jre/lib/ext/bctls-safelogic.jar
      chmod 0644 ${java_home}/jre/lib/ext/bctls-safelogic.jar
      chmod 0644 ${java_home}/jre/lib/ext/bctls-safelogic.jar”
      
    For JDK 11:
    1. Obtain the SafeLogic CC Java module JAR file.
    2. Copy the ccj-3.0.2.1.jar file to /path/of/your/choice/.
    3. Obtain the SafeLogic BCTLS Java module JAR file.
    4. Copy the bctls-safelogic.jar file to /path/of/your/choice/.
    5. Change the file permissions on both the ccj-3.0.2.1.jar and bctls-safelogic.jar files to root and 0644:
      chown root: /path/of/your/choice/ccj-3.0.2.1.jar
      chmod 0644 /path/of/your/choice/ccj-3.0.2.1.jar
      chown root: /path/of/your/choice/bctls-safelogic.jar
      chmod 0644 /path/of/your/choice/bctls-safelogic.jar
    For JDK 17, follow the same instructions as provided for JDK 11.
  2. Add the CCJ configuration to the $JAVA_HOME/jre/lib/security/java.policy file within the closed bracket as shown below:
    //CCJ Java Permissions
    permission java.lang.RuntimePermission "getProtectionDomain";
    permission java.lang.RuntimePermission "accessDeclaredMembers";
    permission java.util.PropertyPermission "java.runtime.name", "read";
    permission java.security.SecurityPermission "putProviderProperty.CCJ";
    //CCJ Key Export and Translation
    permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "exportKeys";
    //CCJ SSL
    permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";
    //CCJ Setting of Default SecureRandom
    permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "defaultRandomConfig";
    //CCJ Setting CryptoServicesRegistrar Properties
    permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "globalConfig";
    //CCJ Enable JKS
    permission com.safelogic.cryptocomply.jca.enable_jks "true";
    }
  3. Edit the $JAVA_HOME/jre/lib/security/java.security file as follows:
    1. Add the following lines:
      
      # List of providers and their preference orders (see above):
      security.provider.1=com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider
      security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:CCJ
      security.provider.3=sun.security.provider.Sun
      security.provider.4=sun.security.rsa.SunRsaSign
      security.provider.5=sun.security.ec.SunEC
      #security.provider.6=com.sun.net.ssl.internal.ssl.Provider
      security.provider.6=com.sun.crypto.provider.SunJCE
      security.provider.7=sun.security.jgss.SunProvider
      security.provider.8=com.sun.security.sasl.Provider
      security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI
      #security.provider.11=sun.security.smartcardio.SunPCSC
      
    2. Comment out the ssl.KeyManagerFactory.algorithm=SunX509 line and add a new line with the text ssl.KeyManagerFactory.algorithm=X.509.
      # Determines the default key and trust manager factory algorithms for
      # the javax.net.ssl package.
      #ssl.KeyManagerFactory.algorithm=SunX509
      ssl.KeyManagerFactory.algorithm=X.509
      ssl.TrustManagerFactory.algorithm=PKIX
ONLY for JDK 11 or above:
  1. Make the following changes to the Cloudera Manager configuration:
    1. Open /etc/default/cloudera-scm-server.
    2. uncomment the below configs related to FIPS:
      # Enable FIPS mode
      # To enable FIPS mode set the -Dcom.cloudera.cmf.fipsMode to true
      # export CMF_JAVA_OPTS="${CMF_JAVA_OPTS} -Dcom.cloudera.cmf.fipsMode=true"
      # If JDK version is 11 or higher:
      # Uncomment and provide values below to include CCJ with FIPS mode
      # export CMF_JAVA_OPTS="${CMF_JAVA_OPTS} -Dcom.cloudera.cloudera.cmf.fipsMode.jdk11plus.ccj.jar.path=/path/to/ccj.jar -Dcom.cloudera.cloudera.cmf.fipsMode.jdk11plus.ccj.moduleName=ccj_module_name"
      # If JDK version is 11 or higher:
      # Uncomment and provide values below to include BCTLS with FIPS mode
      # export CMF_JAVA_OPTS="${CMF_JAVA_OPTS} -Dcom.cloudera.cloudera.cmf.fipsMode.jdk11plus.bctls.jar.path=/path/to/bctls.jar -Dcom.cloudera.cloudera.cmf.fipsMode.jdk11plus.bctls.moduleName=bctls_module_name"
      #

      to

      #
      # Enable FIPS mode
      # To enable FIPS mode set the -Dcom.cloudera.cmf.fipsMode to true
      export CMF_JAVA_OPTS="${CMF_JAVA_OPTS} -Dcom.cloudera.cmf.fipsMode=true"
      # If JDK version is 11 or higher:
      # Uncomment and provide values below to include CCJ with FIPS mode
      export CMF_JAVA_OPTS="${CMF_JAVA_OPTS} -Dcom.cloudera.cloudera.cmf.fipsMode.jdk11plus.ccj.jar.path=/path/of/your/choice/ccj-3.0.2.1.jar -Dcom.cloudera.cloudera.cmf.fipsMode.jdk11plus.ccj.moduleName=ccj_module_name"
      # If JDK version is 11 or higher:
      # Uncomment and provide values below to include BCTLS with FIPS mode
      export CMF_JAVA_OPTS="${CMF_JAVA_OPTS} -Dcom.cloudera.cloudera.cmf.fipsMode.jdk11plus.bctls.jar.path=/path/of/your/choice/bctls-safelogic.jar -Dcom.cloudera.cloudera.cmf.fipsMode.jdk11plus.bctls.moduleName=bctls_module_name"
      #

    For example:

    If the ccj jar file name is ccj-test-3.0.2.1.jar, then the module name becomes cj.test. The version numbers are ignored.

    You can also find out what the module name would be, using the following command:

    $ sudo ${JAVA_HOME}/bin/jar --file=/path/of/your/choice/ccj-test-3.0.2.1.jar --describe-module
    No module descriptor found. Derived automatic module.
    ccj.test@3.0.2.1 automatic <---- module Name is ccj.test
    requires java.base mandated
    contains com.safelogic.cryptocomply 
To provide Livy Support on FIPS for JDK 11 and JDK 17 (From Cloudera Runtime 7.1.9 SP1 release onwards),
  1. Add the following safety-valve settings for Spark cluster mode:
    For SPARK_ON_YARN>GATEWAY role:
    spark-conf/spark-env.sh_client_config_safety_valve
    export SPARK_SUBMIT_OPTS="$SPARK_SUBMIT_OPTS --add-exports=java.base/sun.security.provider=bctls --add-exports=java.base/sun.security.provider=com.safelogic.cryptocomply.fips.core --add-modules=com.safelogic.cryptocomply.fips.core,bctls --module-path=<BCTLS_JARS_DIR>"
    For SPARK3_ON_YARN > GATEWAY role:
    spark3-conf/spark-env.sh_client_config_safety_valve
    export SPARK_SUBMIT_OPTS="$SPARK_SUBMIT_OPTS --add-exports=java.base/sun.security.provider=bctls --add-exports=java.base/sun.security.provider=com.safelogic.cryptocomply.fips.core --add-modules=com.safelogic.cryptocomply.fips.core,bctls --module-path=<BCTLS_JARS_DIR>"

    Where <BCTLS_JARS_DIR> is the directory containing the SafeLogic bctls and fips core jar files.

For Spark to work correctly on FIPS for JDK 11 or above:
  1. Add the following safety-valve settings:
    For SPARK_ON_YARN>GATEWAY role:
    spark-conf/spark-defaults.conf_client_config_safety_valve
    spark.yarn.am.extraJavaOptions=--add-exports=java.base/sun.security.provider=bctls --add-exports=java.base/sun.security.provider=com.safelogic.cryptocomply.fips.core --add-modules=com.safelogic.cryptocomply.fips.core,bctls --module-path=<BCTLS_JARS_DIR> -Dcom.safelogic.cryptocomply.fips.approved_only=true -Djava.net.preferIPv4Stack=true -Djdk.tls.ephemeralDHKeySize=2048 -Djdk.tls.trustNameService=true -Dorg.bouncycastle.jsse.client.assumeOriginalHostName=true
    spark.driver.extraJavaOptions=--add-exports=java.base/sun.security.provider=bctls --add-exports=java.base/sun.security.provider=com.safelogic.cryptocomply.fips.core --add-modules=com.safelogic.cryptocomply.fips.core,bctls --module-path=<BCTLS_JARS_DIR> -Dcom.safelogic.cryptocomply.fips.approved_only=true -Djava.net.preferIPv4Stack=true -Djdk.tls.ephemeralDHKeySize=2048 -Djdk.tls.trustNameService=true -Dorg.bouncycastle.jsse.client.assumeOriginalHostName=true
    spark.executor.extraJavaOptions=--add-exports=java.base/sun.security.provider=bctls --add-exports=java.base/sun.security.provider=com.safelogic.cryptocomply.fips.core --add-modules=com.safelogic.cryptocomply.fips.core,bctls --module-path=<BCTLS_JARS_DIR> -Dcom.safelogic.cryptocomply.fips.approved_only=true -Djava.net.preferIPv4Stack=true -Djdk.tls.ephemeralDHKeySize=2048 -Djdk.tls.trustNameService=true -Dorg.bouncycastle.jsse.client.assumeOriginalHostName=true
    For SPARK3_ON_YARN > GATEWAY role:
    spark3-conf/spark-defaults.conf_client_config_safety_valve
    spark.yarn.am.extraJavaOptions=--add-exports=java.base/sun.security.provider=bctls --add-exports=java.base/sun.security.provider=com.safelogic.cryptocomply.fips.core --add-modules=com.safelogic.cryptocomply.fips.core,bctls --module-path=<BCTLS_JARS_DIR> -Dcom.safelogic.cryptocomply.fips.approved_only=true -Djava.net.preferIPv4Stack=true -Djdk.tls.ephemeralDHKeySize=2048 -Djdk.tls.trustNameService=true -Dorg.bouncycastle.jsse.client.assumeOriginalHostName=true
    spark.driver.defaultJavaOptions=--add-exports=java.base/sun.security.provider=bctls --add-exports=java.base/sun.security.provider=com.safelogic.cryptocomply.fips.core --add-modules=com.safelogic.cryptocomply.fips.core,bctls --module-path=<BCTLS_JARS_DIR> -Dcom.safelogic.cryptocomply.fips.approved_only=true -Djava.net.preferIPv4Stack=true -Djdk.tls.ephemeralDHKeySize=2048 -Djdk.tls.trustNameService=true -Dorg.bouncycastle.jsse.client.assumeOriginalHostName=true
    spark.executor.defaultJavaOptions=--add-exports=java.base/sun.security.provider=bctls --add-exports=java.base/sun.security.provider=com.safelogic.cryptocomply.fips.core --add-modules=com.safelogic.cryptocomply.fips.core,bctls --module-path=<BCTLS_JARS_DIR> -Dcom.safelogic.cryptocomply.fips.approved_only=true -Djava.net.preferIPv4Stack=true -Djdk.tls.ephemeralDHKeySize=2048 -Djdk.tls.trustNameService=true -Dorg.bouncycastle.jsse.client.assumeOriginalHostName=true

    Where <BCTLS_JARS_DIR> is the directory containing the SafeLogic bctls and fips core jar files.

Step 2: Install Cloudera Manager server

  1. Log in to the Cloudera Manager server host.
  2. Run the following command to install Cloudera Manager server.
    sudo yum install cloudera-manager-daemons cloudera-manager-agent cloudera-manager-server
  3. Add the following line at the end of the /etc/default/cloudera-scm-server file:
    export CMF_JAVA_OPTS="${CMF_JAVA_OPTS} -Dcom.cloudera.cmf.fipsMode=true -Dcom.safelogic.cryptocomply.fips.approved_only=true"

Step 3: Validate the CCJ and CCS installation

Run the following commands on each host to validate the CCJ and CCS installation.

  1. Run the following command:
    sysctl crypto.fips_enabled

    This should return:

    crypto.fips_enabled = 1
  2. Run the following command:
    echo greeting | openssl md5

    This command should fail, indicating that FIPS is enabled.

  3. Run the following command:
    JDK 8

    Run the following command to verify the list of security providers in JDK 8

    read -r -d '' list_providers <<EOF
    p = java.security.Security.getProviders();
    for (i = 0; i < p.length; i++) { java.lang.System.out.println(p[i]); }
    EOF
    ${JAVA_HOME}/bin/jrunscript -e "$list_providers"

    This command should return the version numbers of the SafeLogic packages, for example:

    CCJ version 1.01
    SUN version 1.8
    SunRsaSign version 1.8
    SunEC version 1.8
    SunJSSE version 1.8
    SunJCE version 1.8
    SunJGSS version 1.8
    SunSASL version 1.8
    XMLDSig version 1.8
    SunPCSC version 1.8
    JDK 11 (Recommended)

    Run the following command on the Cloudera Manager Server to verify the list of security providers in JDK 11, which grabs the chosen path for the ccj jar file (assume that the bctls file is in the same directory) and show providers with those modules added:

    cat > ListSecurityProviders.java <<-EOF
    import java.security.Provider;
    import java.security.Security;
    
    public class ListSecurityProviders {
     public static void main(String[] args) {
     Provider[] providers = Security.getProviders();
     for (Provider provider : providers) {
     System.out.println("Provider: " + provider.getName());
     System.out.println("Version: " + provider.getVersionStr());
     System.out.println("Info: " + provider.getInfo());
     System.out.println();
     }
     }
    }
    EOF
    java -p $(grep ccj\.jar /etc/default/cloudera-scm-server | awk '{print $3}' | awk -F= '{print $2}' | sed -r 's/(.*)\/.*/\1/') ListSecurityProviders.java

    The output will include the following providers if they are configured and referenced properly: for example:

    Provider: CCJ
    Version: <version>
    Info: CryptoComply® for Java version <version>
    
    Provider: BCJSSE
    Version: <version>
    Info: Bouncy Castle JSSE Provider Version <version>
    For JDK 17: Follow the same instruction as provided for JDK 11.
  4. Run the following command:
    read -r -d '' do_maxAESKeyLength <<EOF
    java.lang.System.out.println(javax.crypto.Cipher.getMaxAllowedKeyLength("AES/CBC/PKCS5Padding"));
    EOF
    answer=`${JAVA_HOME}/bin/jrunscript -Dcom.safelogic.cryptocomply.fips.approved_only=true -e "$do_maxAESKeyLength"`
    echo $answer

    This command should return:

    2147483647

Step 4: Install and configure databases

  1. Configure the database in a FIPS-compliant manner. Consult the vendor documentation for your database for details.
  2. Enable the database for TLS/SSL clients, to ensure that all JDBC connections into these databases are FIPS compliant. Consult the vendor documentation for your database for details.
  3. Configure JDBC Driver in a FIPS compliant manner with TLS/SSL and BCFKS provided by CCJ JCE provider. Consult the following Cloudera Knowledge Base article for more information: Configuring SSL/TLS from the various CDH Services to their respective PostgreSQL Databases.
  4. Complete the setup of your databases for use with Cloudera Manager and Cloudera Runtime components. See Install and Configure PostgreSQL for CDP.