Install and configure additional required components
Use the following steps to install additional required components for FIPS.
- Perform the steps described in Additional Steps for Apache Ranger.
-
Add Ranger to the Shadow
group by
using the following
command:
usermod -a -G shadow ranger
-
Install and Configure TLS either automatically or manually.
If you are using uuto-TLS, see:If you are manually configuring TLS, see:
Generate certificates in BCFKS format
The standard
keytool
utility distributed with the JDK can generate BCFKS formatted keystores using the CCJ security provider. When the CCJ security provider is statically installed into the JDK as previously described, passing thekeytool
utility the-providerpath path/to/ccj-3.0.2.1.jar
or-providerclass com.safelogic.cryptocomply.jcajce.provider.ProvBCFKS
arguments is not required. The only necessary action is to passBCFKS
as the storetype for thekeytool
operation being invoked.For example, the
keytool -importkeystore
argument can be used to import a PKCS12 keystore into a BCFKS keystore.keytool \ -importkeystore -v \ -srckeystore <pkcs12_keystore_file> \ -srcstoretype PKCS12 \ -srcstorepass <pkcs12_pass> \ -destkeystore <bcfks_keystore_file> \ -deststoretype BCFKS \ -deststorepass <bcfks_keystore_pass> \ -destkeypass <bcfks_key_pass>
Systems administrators and other platform implementers msut consult their organization information systems security managers for the correct procedures for generating keypairs and requesting signing of x509 certificates. The Cloudera Data Platform requires the private key and signed certificate in both PEM encoded and BCFKS keystore format. Generating keypairs can be done, for example, by performing the following steps:
-
Generate
a key by using the
openssl genpkey
command. -
Request
xx by using the
openssl req
command. - Have the CA sign the CSR.
-
Import the private key and signed certificate into a PKCS12
keystore
by using the following command:
openssl pkcs12
-
Import the PKCS12 keystore into a BCFKS
keystore
by using the following command:
keytool -importkeystore
-
Generate
a key by using the
- Enable Kerberos authentication using the Cloudera Manager Kerberos wizard.
-
Set the
kdc_timeout
value in the krb5.conf file to a high enough setting to avoid client timeout errors while running queries.-
Open the
/etc/krb5.conf
file with a text editor. -
Under
the
[libdefaults]
line, set thekdc_timeout
value to a minimum of5000
(5 seconds).
-
Open the
- Install Apache Knox. For instructions, see Installing Apache Knox.
- Install Ranger KMS with Key Trustee Server. For instructions, see Installing Ranger KMS backed with a Key Trustee Server and HA
- Configure HDFS Transparent Data Encryption with Ranger KMS with Key Trustee Server.