Cloudera Docs

Overview

This topic provides important background information about CDP running in FIPS-compliant mode by using FIPS 140-2 validated cryptographic modules.

The Federal Information Processing Standards (FIPS) publications are publicly available standards and guidelines jointly developed by the US government and industry, and issued by the National Institute of Standards and Technology (NIST) for use in information systems by Federal government agencies and government contractors.

Within the FIPS Publications, the FIPS Publication 140-2 (FIPS 140-2) is the standard for encryption modules. FIPS 140-2 specifies the security requirements that must be satisfied by a cryptographic module utilized within a security system protecting sensitive information. To ensure conformance with the FIPS 140-2 standard, cryptographic modules must first be validated as conforming to the FIPS 140-2 standard using the Cryptographic Module Validation Program (CMVP). Through the CMVP, validation of a cryptographic module for FIPS 140-2 conformance is conducted by independent Cryptographic and Security Testing (CST) laboratories that have been accredited by the National Voluntary Laboratory Accreditation Program (NVLAP). Following validation, cryptographic modules are issued validation certificates, and these modules can then be deployed by Federal agencies as part of information systems that require the protection of sensitive information. For additional details on the FIPS 140-2 Publication and standard, see Security Requirements for Cryptographic Modules.

While the FIPS 140-2 standard has been broadly adopted, in the United States the FIPS 140-2 standard is leveraged in several government security compliance and accreditation mandates and frameworks, including FISMA, FedRAMP, and DISA Security Technical Implementation Guides (STIG). Within many of these compliance and accreditation mandates, it is specified that FIPS validated cryptography must be used at a minimum when encryption is employed within an information system. These mandates also specify that FIPS-validated cryptography must be used in a compliant manner consistent with the standard and mandates. As a result, system operators are typically required to perform the following operations:

  1. Enable FIPS mode within an operating system (OS) used in the information system, for example, RHEL and CentOS, to ensure that the OS is configured to be compliant with the FIPS 140-2 standard, and to enforce the use of FIPS-approved keystores, algorithms, and strengths with FIPS 140-2 validated cryptographic modules.
  2. With respect to the application running on top of the OS, ensure that FIPS 140-2 validated cryptographic modules are used with the application. In addition, configure the application to be compliant with the FIPS 140-2 standard as well as the government security compliance and applicable accreditation mandate or framework. This typically includes employing the use of FIPS-approved keystores and algorithms with FIPS 140-2 validated cryptographic modules, as well as employing strong authentication, authorization, audit, data governance, in-transient data encryption, and at-rest data encryption features.

Beginning with CDP Private Cloud Base version 7.1.5, CDP Private Cloud Base can be configured to operate in a FIPS-compliant mode by leveraging FIPS 140-2 validated cryptographic modules. Cloudera has accomplished this by supporting the deployment of the CDP Private Cloud Base platform on a FIPS-mode enabled operating system, for example, RHEL or CentOS, that is integrated with FIPS 140-2 validated cryptography modules.

SafeLogic provides Cloudera with supported FIPS 140-2 validated modules that have been approved through the NIST CMVP. These modules replace Java Cryptographic Extension (JCE) providers, such as Bouncy Castle, OpenSSL, NSS, and Libgcrypt cryptographic libraries. The SafeLogic CryptoComply modules are separately licensed as a bundle and can be acquired through a request to your Cloudera Account Team. The SafeLogic CryptoComply includes the following modules:

  • CryptoComply for Server (CCS) - OpenSSL RPMs

  • CryptoComply for Java (CCJ) - Java Cryptography Extension JAR

  • CryptoComply for Libgcrypt RPMs