Step 1: Prepare hosts

Prepare the hosts for FIPS integration.

Cryptographic operations require entropy to ensure randomness. Check the available entropy by using the following command:
cat /proc/sys/kernel/random/entropy_avail
note

The entropy value must be always above 2k.
- In order to keep the entropy high, install the following tools and keep them running:
  - rng-tools - For information about checking available entropy and using the rng-tools tool, see Entropy Requirements in Data at Rest Encryption Requirements.
    Install, enable and start the rng-tools tool by using the following commands:
    1. sudo dnf install rng-tools
    2. sudo systemctl enable rngd
    3. sudo systemctl start rngd
  - haveged, available in the Extra Packages for Enterprise Linus (EPEL) Repository - For instructions about using the haveged entropy daemon, see the haveged documentation.
  Install, enable and start the havaged entropy daemon by using the following commands:
  1. sudo dnf install haveged
  2. sudo systemctl enable haveged
  3. sudo systemctl start haveged
note
Virtual Machines might have insufficient sources of entropy, which can cause extreme slowness of many Cloudera Manager and Cloudera operations even with rngd and haveged enabled. You might need to take the following additional hypervisor-level measures to provide enough entropy for strong cryptographic functions required for FIPS compliance:
- Ensure that the Hardware Random Number Generator (Hwrng) is enabled by setting disableHwrng to false
- Set different entropy sources if necessary
Configure the operating system for FIPS.
For RHEL 8, see: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#switching-the-system-to-fips-mode_using-the-system-wide-cryptographic-policies
On all hosts, run one of the following commands to verify that FIPS mode is enabled:
- ```
cat /proc/sys/crypto/fips_enabled
```
  Expected output:
```
crypto.fips_enabled = 1
```
  1 indicates that FIPS is enabled.
- ```
sysctl crypto.fips_enabled
```
  Expected output:
```
crypto.fips_enabled = 1 
```
  1 indicates that FIPS is enabled.
Configure a repository to install Cloudera Manager and other required packages.
1. On the Cloudera Manager server host, download the repository file for your operating system and version:
```
https://[username]:[password]@archive.cloudera.com/p/cm7/7.11.3/redhat8/yum/cloudera-manager.repo
```
2. Open the /etc/yum.repos.d/cloudera-manager.repo file in a text editor and replace the changeme placeholder values with your user name and password.
```
[cloudera-manager]
name=Cloudera Manager 7.11.3
baseurl=https://archive.cloudera.com/p/cm7/7.11.3/redhat8/yum/
gpgkey=https://archive.cloudera.com/p/cm7/7.11.3/redhat8/yum/
RPM-GPG-KEY-cloudera
username=changeme
password=changeme
gpgcheck=1
enabled=1
autorefresh=0
type=rpm-md
```
3. If your hosts do not have access to https://archive.cloudera.com, you must set up a local repository. See Configuring Local Package and Parcel Repositories.
Manually install OpenJDK 8 / Oracle JDK 8 or with a tar file (From Cloudera Runtime 7.1.9 SP1 release onwards) on all hosts.
- Installing OpenJDK for Cloudera Runtime
- Installing Oracle JDK for Cloudera Runtime
- Manually through a tarball
  warning
  The yum install method uses a Redhat-modified JDK version that prevents installation of Cloudera with FIPS enabled.
Download the cloudera-sasl JAR file:
1. Obtain the sasl-sha256aes JAR file from:https://archive.cloudera.com/p/cdh7/7.1.9.1021/maven-repository/com/cloudera/sasl/sasl-sha256aes/0.1.0.7.1.9.1021-6/sasl-sha256aes-0.1.0.7.1.9.1021-6.jar
2. Copy the file to the following locations on all hosts in the cluster: /opt/cloudera/fips/ (or wherever the CCJ and BCTLS JAR files are stored), /opt/cloudera/parcels/CDH/jars/, and /opt/cloudera/parcels/CDH/lib/hadoop/.
Set the environment variable for HADOOP_SASL_MECHANISM. Follow these steps to set a service-specific environment variable in Cloudera Manager:
1. From the Cloudera Manager dashboard, locate the service for which you want to set the environment variable (for example, HDFS, YARN). Click the Service name.
2. In the Service page, navigate to the Configuration tab.
3. Search for Environment Advanced Configuration Snippet to show the <Service-name> Environment Advanced Configuration Snippet (Safety Valve) field.
4. Add an Environment Variable with the Key as HADOOP_SASL_MECHANISM and value as DIGEST-SHA.
5. Save the changes and restart the affected service.
Set the Hadoop Configuration Property for DIGEST-SHA:
1. Select the service where you intend to apply the new Hadoop configuration property. This example shows the configuration for HDFS.
2. In the HDFS service page, navigate to the Configurations tab.
3. Search for Cluster-wide Advanced Configuration Snippet (Safety Valve) for core-site.xml.
4. Add a new property with the Name as hadoop.security.sasl.mechanism and Value as DIGEST-SHA (description can be left blank).
5. Save the changes and restart HDFS or the affected service.
Add the com.cloudera.security.sasl.ClouderaSaslProvider security providers to the java.security file . The java.security file is a standard configuration file under Java/JDK home. In Java, the java.security file is located at $JAVA_HOME/jre/lib/security/java.security.
Download and install CryptoComply for Java (CC for Java) SafeLogic - Java JCE Provider on all hosts.
1. Obtain the SafeLogic CC Java module JAR file.
2. Copy the ccj-3.0.2.1.jar file to the $JAVA_HOME/jre/lib/ext directory.
3. Obtain the SafeLogic BCTLS Java module JAR file.
4. Copy the bctls-safelogic.jar file to the $JAVA_HOME/jre/lib/ext directory.
5. Change the file permissions on both the ccj-3.0.2.1.jar and bctls-safelogic.jar files to root and 0644.
```
chown root: ${JAVA_home}/jre/lib/ext/ccj-3.0.2.1.jar
chmod 0644 ${JAVA_home}/jre/lib/ext/ccj-3.0.2.1.jar
chown root: ${JAVA_home}/jre/lib/ext/bctls-safelogic.jar
chmod 0644 ${JAVA_home}/jre/lib/ext/bctls-safelogic.jar
```

To configure the java.policy policy, add the CCJ configuration to the bottom of the $JAVA_HOME/conf/security/java.policy file within the closed bracket:

//CCJ Java Permissions
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.util.PropertyPermission "java.runtime.name", "read";
permission java.security.SecurityPermission "putProviderProperty.CCJ";
//CCJ Key Export and Translation
permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "exportKeys";
//CCJ SSL
permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";
//CCJ Setting of Default SecureRandom
permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "defaultRandomConfig";
//CCJ Setting CryptoServicesRegistrar Properties
permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "globalConfig";
//CCJ Enable JKS
permission com.safelogic.cryptocomply.jca.enable_jks "true";
};

Add the com.cloudera.security.sasl.ClouderaSaslProvider security providers to the java.security file. The java.security file is a standard configuration file under Java/JDK home. In Java, the java.security file is located at $JAVA_HOME/jre/lib/security/java.security. Edit the $JAVA_HOME/jre/lib/security/java.security file as follows:

note

Using yum install java-1.8.0-openjdk-devel on RHEL 8 will install a higher-than-recommended version of OpenJDK, such as 8u402, which should work with one adjustment to the java.security file. If any "fips.provider" parameters exist in java.security, they must be replaced with the following:

# Security providers used when FIPS mode support is active
fips.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.fips.cfg
fips.provider.2=sun.security.provider.Sun
fips.provider.3=sun.security.ec.SunEC
fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS
fips.provider.1=com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider
fips.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:CCJ
fips.provider.3=sun.fips.provider.Sun
fips.provider.4=sun.security.rsa.SunRsaSign
fips.provider.5=sun.security.ec.SunEC
fips.provider.6=com.sun.net.ssl.internal.ssl.Provider
fips.provider.6=com.sun.crypto.provider.SunJCE
fips.provider.7=sun.security.jgss.SunProvider
fips.provider.8=com.sun.security.sasl.Provider
fips.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI
fips.provider.11=sun.security.smartcardio.SunPCSC
fips.provider.15=com.cloudera.security.sasl.ClouderaSaslProvider

Add the following lines:

# List of providers and their preference orders:
security.provider.1=com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:CCJ
security.provider.3=sun.security.provider.Sun
security.provider.4=sun.security.rsa.SunRsaSign
security.provider.5=sun.security.ec.SunEC
security.provider.6=com.sun.net.ssl.internal.ssl.Provider
security.provider.6=com.sun.crypto.provider.SunJCE
security.provider.7=sun.security.jgss.SunProvider
security.provider.8=com.sun.security.sasl.Provider
security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.11=sun.security.smartcardio.SunPCSC
security.provider.12=com.cloudera.security.sasl.ClouderaSaslProvider

Comment out the ssl.KeyManagerFactory.algorithm=SunX509 line and add a new line with the text ssl.KeyManagerFactory.algorithm=X.509.

# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
#ssl.KeyManagerFactory.algorithm=SunX509
ssl.KeyManagerFactory.algorithm=X.509
ssl.TrustManagerFactory.algorithm=PKIX

Install Cloudera Manager Server