Step 3: Validate the CCJ and CCS installations
Run the following commands on each host to validate the CryptoComply for Java (CCJ) and CryptoComply for Server (CCS) installation.
-
Run the following command to verify that the FIPS configuration is
enabled:
sysctl crypto.fips_enabledExpected output:
crypto.fips_enabled = 1 -
Run the following command to test that the FIPS kernel module terminates an md5
process:
echo greeting | openssl md5This command must fail, indicating that FIPS is enabled.
-
Run the following commandCloudera Manager server to verify
the list of security providers in JDK 17, which grabs the chosen path for the
ccj jar file (assume that the
bctls file is in the same directory) and show providers
with those modules added:
cat > ListSecurityProviders.java <<-EOF import java.security.Provider; import java.security.Security; public class ListSecurityProviders { public static void main(String[] args) { Provider[] providers = Security.getProviders(); for (Provider provider : providers) { System.out.println("Provider: " + provider.getName()); System.out.println("Version: " + provider.getVersionStr()); System.out.println("Info: " + provider.getInfo()); System.out.println(); } } } EOFjava -p /directory/chosen/for/ccj-bctls/jars/ ListSecurityProviders.javaThe output includes the following providers if they are configured and referenced properly. For example,
Provider: CCJ Version: <version> Info: CryptoComply® for Java version <version> Provider: BCJSSE Version: <version> Info: Bouncy Castle JSSE Provider Version <version> -
Run the following command to get the maximum allowed key length:
Expected output:read -r -d '' do_maxAESKeyLength <<EOF java.lang.System.out.println(javax.crypto.Cipher.getMaxAllowedKeyLength("AES/CBC/PKCS5Padding")); EOF answer=`${JAVA_HOME}/bin/jrunscript -Dcom.safelogic.cryptocomply.fips.approved_only=true -e "$do_maxAESKeyLength"` echo $answer2147483647
