Upgrading from JDK 8 to JDK 11 or JDK 17 on FIPS

This section explians the steps to upgrade from JDK 8 to either JDK 11 or JDK 17.

You must change the Java configurations on all hosts and the Cloudera Manager configuration, to upgrade from JDK 8 to either JDK 11 or JDK 17.

Configure the Java environment variable, by creating the ccj.sh file in the /etc/profile.d/ directory.

eecho "export JDK_JAVA_OPTIONS='--module-path=/opt/cloudera/fips/ccj-3.0.2.1.jar:/opt/cloudera/fips/bctls-safelogic.jar --add-exports java.base/sun.security.provider=com.safelogic.cryptocomply.fips.core --add-modules com.safelogic.cryptocomply.fips.core,bctls.safelogic'" >/etc/profile.d/ccj.sh
sudo chmod +x /etc/profile.d/ccj.sh

Configure the java.security policy, by editing the $JAVA_HOME/jre/lib/security/java.security file.
Set the security.useSystemPropertiesFile to false.

note
Skip this step, if JDK 11 or 17 is installed through a tarball.

Comment out the default security.provider line and add the following lines:

#
# List of providers and their preference orders (see above):
#
security.provider.1=com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:CCJ
security.provider.3=SUN
security.provider.4=SunRsaSign
security.provider.5=SunEC
security.provider.6=SunJSSE
security.provider.7=SunJCE
security.provider.8=SunJGSS
security.provider.9=SunSASL
security.provider.10=XMLDSig
security.provider.11=SunPCSC
security.provider.12=JdkLDAP
security.provider.13=JdkSASL

Comment out the default fips.providers line and add the following lines:

#
# Security providers used when FIPS mode support is active
#
fips.provider.1=com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider
fips.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:CCJ
fips.provider.3=SUN
fips.provider.4=SunRsaSign
fips.provider.5=SunEC
fips.provider.6=SunJSSE
fips.provider.7=SunJCE
fips.provider.8=SunJGSS
fips.provider.9=SunSASL
fips.provider.10=XMLDSig
fips.provider.11=SunPCSC
fips.provider.12=JdkLDAP
fips.provider.13=JdkSASL

Make the following changes to the Cloudera Manager configuration:

Open the /etc/default/cloudera-scm-server file.

Adjust the JDK version is 11 or higher sections, and uncomment the following configurations related to FIPS and they must point to the correct JAR files and modules:

# Enable FIPS mode
#
# To enable FIPS mode set the -Dcom.cloudera.cmf.fipsMode to true
#
export CMF_JAVA_OPTS="${CMF_JAVA_OPTS} -Dcom.cloudera.cmf.fipsMode=true"
#
# If JDK version is 11 or higher:
# Uncomment and provide values below to include CCJ with FIPS mode
export CMF_JAVA_OPTS="${CMF_JAVA_OPTS} 
-Dcom.cloudera.cloudera.cmf.fipsMode.jdk11plus.ccj.jar.path=/opt/cloudera/fips/ccj-3.0.2.1.jar 
-Dcom.cloudera.cloudera.cmf.fipsMode.jdk11plus.ccj.moduleName=ccj_module_name"
#
# If JDK version is 11 or higher:
# Uncomment and provide values below to include BCTLS with FIPS mode
export CMF_JAVA_OPTS="${CMF_JAVA_OPTS} 
-Dcom.cloudera.cloudera.cmf.fipsMode.jdk11plus.bctls.jar.path=/opt/cloudera/fips/bctls-safelogic.jar 
-Dcom.cloudera.cloudera.cmf.fipsMode.jdk11plus.bctls.moduleName=bctls_module_name"

For example:

If the ccj jar file name is ccj-test-3.0.2.1.jar, then the module name becomes cj.test. The version numbers are ignored.

Find out the module name using the following command:

$ sudo ${JAVA_HOME}/bin/jar --file=/opt/cloudera/fips/ccj-test-3.0.2.1.jar --describe-module
No module descriptor found. Derived automatic module.
ccj.test@3.0.2.1 automatic <---- module Name is ccj.test
requires java.base mandated contains com.safelogic.cryptocomply

Validate that the Java installation is correct here, Validate the CCJ and CCS installations for JDK 11 or Validate the CCJ and CCS installations for JDK 17