FIPS 140-2 compliance
Federal Information Processing Standards (FIPS) are publicly available standards and guidelines issued by the National Institute of Standards and Technology for use in computer systems by non-military American government agencies and government contractors. You can configure CDP Private Cloud Base to use FIPS-compliant cryptography.
To install and configure a CDP cluster that is FIPS-compliant, see Installing and Configuring CDP with FIPS. In combination with AutoTLS, the cluster will use BouncyCastle FIPS Keystore (BCFKS) across all the components.
- CEM is compatible with a FIPS 140-2 compliant environment.
- CEM can run on an OS with FIPS turned on and can use FIPS-compliant crypto libraries.
- By default, the KeyStore and TrustStore are in Java KeyStore (JKS) format. This format is not FIPS compliant.
- By default, Edge Flow Manager dataflows are not FIPS compliant. You must specifically design a dataflow to be FIPS compliant.
-
If you want to implement FIPS mode on your CEM cluster, you should use the bctls.jar, which uses Galois/Counter Mode (GCM) ciphers. GCM ciphers are not allowed by the EFM Java process by default. For configuration information, see Configuring EFM to use GCM ciphers.
-
EFM sensitive properties can be encrypted. See the Encrypting sensitive properties guide for more information.
-
For additional details on the FIPS 140-2 Publication, see FIPS 140-2 Security Requirements for Cryptographic Modules.
For the National Institute of Standards and Technology publication, see FIPS 140-2 Security Requirements for Cryptographic Modules.
Configuring EFM to use GCM ciphers
If you implement FIPS mode on your Cloudera Edge Management (CEM) cluster, you have to use the bctls.jar, which uses Galois/Counter Mode (GCM) ciphers. These ciphers are not allowed by the NiFi Java process by default. Learn how you can configure EFM to use the GCM ciphers.
The Bouncy Castle TLS library bctls.jar includes an implementation of the TLS protocol that takes precedence over the standard Java implementation when configuring the BouncyCastleJsseProvider as a provider in java.security. The default configuration of the BCTLS library does not enable GCM-based ciphers, which results in TLS server components attempting to negotiate weak cipher suites based on AES-CBC. Modern web browsers such as Google Chrome and Mozilla Firefox disable weak cipher suites, causing cipher mismatch errors when attempting to connect to a FIPS-enabled deployment of CEM. Enabling GCM-based ciphers allows clients to negotiate modern TLS cipher suites, avoiding connection issues related to weak algorithms.
Follow these steps to configure EFM: