Prerequisites
Required prerequisites for FIPS for CDP.
About CDP with FIPS
Creating a new, fresh cluster is the only way to enable or disable FIPS.
Known Issues
Unsupported Features
-
Upgrades are not currently supported to or from CDP with FIPS.
-
Replication is not currently supported.
- MRIT localfs is not supported in FIPS environments where SHA2 compatibility is required.
System Requirements
- Operating system: RHEL/Centos 7.9 or RHEL 8.8. For more information, see Operating system requirements
- Java: OpenJDK 8 / Oracle JDK 8 or OpenJDK 11 / Oracle JDK 11. For more information, see Java requirements
- OpenJDK versions: For FIPS minimum required / latest version tested is 1.8u231.
- Install and configure a database. See Step 3. Install and Configure Databases
Supported CDP Versions
-
Cloudera Manager versions 7.2.4, 7.3.1, 7.4.4, 7.6.1, 7.7.1, 7.7.3, and 7.11.3
-
CDP Private Cloud Base versions 7.1.5, 7.1.6, 7.1.7, 7.1.7 SP1, 7.1.7 SP2, 7.1.8, and 7.1.9
Supported CDP Components
The following components are supported in FIPS mode:
- Atlas
- Avro
- Cloudera Manager
- Cruise Control
- Hadoop
- Hadoop Credential Provider
- HDFS
- HBase
- Hive
- Hive-on-Tez
- Hive Meta Store
- Hive Warehouse Connector
- Hue
- Iceberg
- Impala
- Kafka
- Kerberos
- Key Trustee Server
- Knox
- Kudu
- Livy
- MapReduce
- OMID
- Oozie
- Parquet
- Phoenix
- Queue Manager
- Ranger
- Ranger KMS
- Schema Registry
- Streams Messaging Manager
- Streams Replication Manager
- Solr
- Spark
- Sqoop
- Tez
- TLS
- YARN
- Zeppelin
- ZooKeeper
Step 1: Prepare hosts
ONLY for JDK 11:
To provide Livy Support on FIPS for JDK 11,
For Spark to work correctly on FIPS for JDK 11:
Step 2: Install and configure the SafeLogic modules and packages for RHEL 7 OS
For RHEL 7, install and configure SafeLogic packages.
- Obtain the CryptoComply for Libgcrypt (CC for Libgcrypt) and CryptoComply for Server (CC for Server) SafeLogic modules and packages.
-
Copy the CryptoComply for Server (CCS) - OpenSSL RPMs to all hosts.
-
Copy the CryptoComply for Libgcrypt RPMs to all hosts.
Step 3: Install Cloudera Manager server
Step 4: Validate the CCJ and CCS installation
Run the following commands on each host to validate the CCJ and CCS installation.
Step 5: Install and configure databases
- Configure the database in a FIPS-compliant manner. Consult the vendor documentation for your database for details.
- Enable the database for TLS/SSL clients, to ensure that all JDBC connections into these databases are FIPS compliant. Consult the vendor documentation for your database for details.
- Configure JDBC Driver in a FIPS compliant manner with TLS/SSL and BCFKS provided by CCJ JCE provider. Consult the following Cloudera Knowledge Base article for more information: Configuring SSL/TLS from the various CDH Services to their respective PostgreSQL Databases.
- Complete the setup of your databases for use with Cloudera Manager and Cloudera Runtime components. See Install and Configure PostgreSQL for CDP.