Install and configure additional required components

Use the following steps to install additional required components for FIPS.

  1. Perform the steps described in Additional Steps for Apache Ranger.
  2. Add Ranger to the Shadow group by using the following command:
    usermod -a -G shadow ranger
  3. Install and Configure TLS either automatically or manually.
    If you are manually configuring TLS, see:

    Generate certificates in BCFKS format

    The standard keytool utility distributed with the JDK can generate BCFKS formatted keystores using the CCJ security provider. When the CCJ security provider is statically installed into the JDK as previously described, passing the keytool utility the -providerpath path/to/ccj-3.0.2.1.jar or -providerclass com.safelogic.cryptocomply.jcajce.provider.ProvBCFKS arguments is not required. The only necessary action is to pass BCFKS as the storetype for the keytool operation being invoked.

    For example, the keytool -importkeystore argument can be used to import a PKCS12 keystore into a BCFKS keystore.

    keytool \
        -importkeystore -v \
        -srckeystore <pkcs12_keystore_file> \
        -srcstoretype PKCS12 \
        -srcstorepass <pkcs12_pass> \
        -destkeystore <bcfks_keystore_file> \
        -deststoretype BCFKS \
        -deststorepass <bcfks_keystore_pass> \
        -destkeypass <bcfks_key_pass>

    Systems administrators and other platform implementers msut consult their organization information systems security managers for the correct procedures for generating keypairs and requesting signing of x509 certificates. The Cloudera Data Platform requires the private key and signed certificate in both PEM encoded and BCFKS keystore format. Generating keypairs can be done, for example, by performing the following steps:

    1. Generate a key by using the openssl genpkey command.
    2. Request xx by using the openssl req command.
    3. Have the CA sign the CSR.
    4. Import the private key and signed certificate into a PKCS12 keystore by using the following command:
      openssl pkcs12
    5. Import the PKCS12 keystore into a BCFKS keystore by using the following command:
      keytool -importkeystore
  4. Enable Kerberos authentication using the Cloudera Manager Kerberos wizard.
  5. Set the kdc_timeout value in the krb5.conf file to a high enough setting to avoid client timeout errors while running queries.
    1. Open the /etc/krb5.conf file with a text editor.
    2. Under the [libdefaults] line, set the kdc_timeout value to a minimum of 5000 (5 seconds).
  6. Install Apache Knox. For instructions, see Installing Apache Knox.
  7. Install Ranger KMS with Key Trustee Server. For instructions, see Installing Ranger KMS backed with a Key Trustee Server and HA
  8. Configure HDFS Transparent Data Encryption with Ranger KMS with Key Trustee Server.