FIPS 140-2 compliance

Federal Information Processing Standards (FIPS) are publicly available standards and guidelines issued by the National Institute of Standards and Technology for use in computer systems by non-military American government agencies and government contractors. You can configure CDP Private Cloud Base to use FIPS-compliant cryptography.

To install and configure a CDP cluster that is FIPS-compliant, see Installing and Configuring CDP with FIPS. In combination with AutoTLS, the cluster will use BouncyCastle FIPS Keystore (BCFKS) across all the components.

Note the following points about FIPS compliance in CEM:
  • CEM is compatible with a FIPS 140-2 compliant environment.
  • CEM can run on an OS with FIPS turned on and can use FIPS-compliant crypto libraries.
  • By default, the KeyStore and TrustStore are in Java KeyStore (JKS) format. This format is not FIPS compliant.
  • By default, Edge Flow Manager dataflows are not FIPS compliant. You must specifically design a dataflow to be FIPS compliant.
  • If you want to implement FIPS mode on your CEM cluster, you should use the bctls.jar, which uses Galois/Counter Mode (GCM) ciphers. GCM ciphers are not allowed by the EFM Java process by default. For configuration information, see Configuring EFM to use GCM ciphers.

  • EFM sensitive properties can be encrypted. See the Encrypting sensitive properties guide for more information.

  • For additional details on the FIPS 140-2 Publication, see FIPS 140-2 Security Requirements for Cryptographic Modules.

For the National Institute of Standards and Technology publication, see FIPS 140-2 Security Requirements for Cryptographic Modules.

Configuring EFM to use GCM ciphers

If you implement FIPS mode on your Cloudera Edge Management (CEM) cluster, you have to use the bctls.jar, which uses Galois/Counter Mode (GCM) ciphers. These ciphers are not allowed by the NiFi Java process by default. Learn how you can configure EFM to use the GCM ciphers.

The Bouncy Castle TLS library bctls.jar includes an implementation of the TLS protocol that takes precedence over the standard Java implementation when configuring the BouncyCastleJsseProvider as a provider in java.security. The default configuration of the BCTLS library does not enable GCM-based ciphers, which results in TLS server components attempting to negotiate weak cipher suites based on AES-CBC. Modern web browsers such as Google Chrome and Mozilla Firefox disable weak cipher suites, causing cipher mismatch errors when attempting to connect to a FIPS-enabled deployment of CEM. Enabling GCM-based ciphers allows clients to negotiate modern TLS cipher suites, avoiding connection issues related to weak algorithms.

Follow these steps to configure EFM:

  1. Download the FIPS JAR files from the Cloudera repository.
  2. Copy the bctls.jar and ccj-3.0.2.1.jar files from the downloaded files to the CEM library.
    cp bctls.jar ccj-3.0.2.1.jar [***EFM_DIRECTORY***]/lib
  3. Make sure there is a JDK 17 installed and configured for FIPS.
    • The following snippet is present in the java.policy file.

      // CCJ Java Permissions
      permission java.lang.RuntimePermission "getProtectionDomain";
      permission java.lang.RuntimePermission "accessDeclaredMembers";
      permission java.util.PropertyPermission "java.runtime.name", "read";
      permission java.security.SecurityPermission "putProviderProperty.CCJ";
      
      // CCJ Key Export and Translation
      permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "exportKeys";
      
      // CCJ SSL
      permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";
      
      // CCJ Setting of Default SecureRandom
      permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "defaultRandomConfig";
      
      // CCJ Setting CryptoServicesRegistrar Properties
      permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "globalConfig";
      
      // CCJ Enable JKS
      permission com.safelogic.cryptocomply.jca.enable_jks "true";
      
    • The java.security security providers section contains the following:

      security.provider.1=CryptoComplyFipsProvider
      security.provider.2=BouncyCastleJsseProvider fips:CCJ
      security.provider.3=SUN
      security.provider.4=SunRsaSign
      security.provider.5=SunEC
      security.provider.6=SunJSSE
      security.provider.7=SunJCE
      security.provider.8=SunJGSS
      security.provider.9=SunSASL
      security.provider.10=XMLDSig
      #security.provider.11=SunPCSC
      security.provider.12=JdkLDAP
      security.provider.13=JdkSASL
      security.provider.14=SunPKCS11
      
  4. Set the org.bouncycastle.jsse.fips.allowGCMCiphers=true Java system property in the efm.conf configuration file to enable support for GCM-based ciphers using the BCTLS library.
    JAVA_OPTS="-Xms2048m -Xmx2048m -XX:+UseG1GC -Dorg.bouncycastle.jsse.fips.allowGCMCiphers=true --module-path=[***EFM_DIR***]/lib/ccj-3.0.2.1.jar:/[***EFM_DIR***]/lib/bctls.jar"

    If it is not configured properly, the following error message is displayed:

    ERR_SSL_VERSION_OR_CIPHER_MISMATCH
    Unsupported protocol
    The client and server don't support a common SSL protocol version or cipher suite
    
  5. If you are using Cloudera Manager to manage EFM, add the following parameter to the JAVA_OPTS property.
    1. In Cloudera Manager, go to the NiFi service.
    2. Select Configuration.
    3. Locate the JAVA_OPTS property.
      You can search for it by typing its name in the Search box.
    4. Append the following to the existing property.
      -Dorg.bouncycastle.jsse.fips.allowGCMCiphers=true --module-path=[***EFM_DIR***]/lib/ccj-3.0.2.1.jar:/[***EFM_DIR***]/lib/bctls.jar
      
    5. Click Save Changes to commit the changes.
    6. Restart the service.