Cloudera Docs

Configuring JVM security providers (FIPS)

NiFi and NiFi Registry are not FIPS compliant out of the box. When booting cfm-nifi-k8s for NiFi version 1 on a FIPS enabled cluster, the Pod will enter a CrashLoop attempting to load JKS keystores. NiFi version 2 will boot but not necessarily be compliant. Follow the instructions here to add additional security providers to the NiFi JVM to enable FIPS compliance.

Prerequisites

FIPS compliance requires special security providers to be given to the NiFi and NiFi Registry containers. To fully configure these new providers, the operator requires a few pieces of information:

  1. Security provider jars.

  2. Keystore provider class.

  3. Preferred keystore format.

  4. Security providers definition.

  5. Java policy for providers. (optional)

Security provider jars

These are Java jar files containing FIPS compliant security providers that you have obtained from Cloudera (CCJ and BCTLS) or another vendor, such as Safelogic. The jars should be referred to by the environment variable PROVIDER_JAR_PATH.

The rest of this document will show examples using ccj and bctls from Cloudera’s archive mirror.

Keystore provider class

The provider class that should be used for constructing keystores and truststores. Using ccj, this would be com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider. This will be provided to NiFi by environment variable KEYSTORE_PROVIDER_CLASS.

Preferred keystore format

The default keystore format JKS is a weak format and generally not FIPS compliant. Your security provider may provide a different format, such as Bouncy Castle FIPS KeyStore (BCFKS). This will be supplied to NiFi by environment variable KEYSTORE_TYPE.

Security providers definition

The security providers to add to the JVM must be provided in a file with one provider per line.

CCJ example:

$ cat additional-security-providers.txt 
com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider
org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:CCJ

A path reference to this file must be provided with an environment variable SECURITY_PROVIDERS_PATH.

Java policy for providers

For some providers, additional permissions may need to be given via Java policy. A standard Java policy file can be provided, see this CCJ example:

$ cat additional-java-policy.txt 
grant {
    //CCJ Java Permissions
    permission java.lang.RuntimePermission "getProtectionDomain";
    permission java.lang.RuntimePermission "accessDeclaredMembers";
    permission java.util.PropertyPermission "java.runtime.name", "read";
    permission java.security.SecurityPermission "putProviderProperty.CCJ";
    //CCJ Key Export and Translation
    permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "exportKeys";
    //CCJ SSL
    permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";
    //CCJ Setting of Default SecureRandom
    permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "defaultRandomConfig";
    //CCJ Setting CryptoServicesRegistrar Properties
    permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "globalConfig";
    //CCJ Enable JKS
    permission com.safelogic.cryptocomply.jca.enable_jks "true";
};

A path reference to this file must be provided with an environment variable JAVA_POLICY_PATH.