Verifying the Client Configuration

Describes how to verify that clients installed in a FIPS or mixed FIPS/non-FIPS environment are configured correctly.

After running any pre-configuration steps and the configure.sh script with the -c (client only) option, your client should be successfully configured. The final step is to verify your client configuration. Most of these steps are the same as verification steps for release 6.2.0 and earlier client installations. An added step for FIPS clients is to verify the existence and functionality of the Hadoop Credential Provider store, in order to protect your trust store passwords.

Verifying the Trust Store Configuration

On FIPS-enabled clients, you can run the keytool -list -keystore command to view the entries in the trust store:
[root@m2-mapreng-vm166251 ~]# keytool -list -keystore /opt/mapr/conf/ssl_truststore.bcfks -storepass mapr123 -storetype bcfks -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /opt/mapr/lib/bc-fips-1.0.2.1.jar -providername BCFIPS 
Keystore type: BCFKS 
Keystore provider: BCFIPS 

Your keystore contains 4 entries 

fips2.cluster.com, Sep 2, 2021, trustedCertEntry,  
Certificate fingerprint (SHA-256): 33:6D:A3:FC:E8:71:A7:E8:45:86:CB:83:58:47:18:7E:D6:E8:98:FC:2B:7A:C7:D4:B1:AA:6E:94:A5:FC:71:44 
fips2.cluster.com-root-ca-chain, Sep 2, 2021, trustedCertEntry,  
Certificate fingerprint (SHA-256): 05:41:E8:51:96:E7:7B:E8:B5:08:E8:CA:69:55:3A:F5:45:B5:87:77:18:05:27:70:10:6E:82:B6:CE:4B:05:92 
hpe186.cluster.com, Aug 31, 2021, trustedCertEntry,  
Certificate fingerprint (SHA-256): F6:BB:33:2A:98:52:4A:BE:AE:3F:21:90:1B:2A:09:19:17:9C:51:D5:09:FB:52:12:ED:43:D2:AC:D7:D0:0B:55 
hpe186.cluster.com-root-ca-chain, Aug 31, 2021, trustedCertEntry,  
Certificate fingerprint (SHA-256): 40:7A:B9:75:E1:A9:43:E0:A5:FD:9F:DE:3D:A3:B5:C3:7B:7E:55:4E:72:65:06:D5:50:FE:00:E6:84:C8:37:16 

Verifying the Hadoop Credential Provider Store

Beginning with release 7.0.0, passwords from ssl-client.xml are now stored in the Hadoop Credential Provider Store in ${MAPR_HOME}/conf/maprtrustcreds.bcfks (for FIPS-enabled nodes) and ${MAPR_HOME}/conf/maprtrustcreds.jceks (for secure non-FIPS nodes). You should also verify that the Hadoop Credential Provider trust store is correctly configured. The hadoop credential list command for a client node should only contain a single entry for the password for the ssl.client.truststore.password property:
# hadoop credential list 
Listing aliases for CredentialProvider: localbcfks://file/opt/mapr/conf/maprtrustcreds.bcfks 
ssl.client.truststore.password 

Verifying Server Connectivity

You should also perform the regular verifications to confirm server connectivity to ensure that you can successfully obtain a Data Fabric ticket using maprlogin and execute Hadoop commands, for example:
# maprlogin password 
[Password for user 'root' at cluster 'fips0.cluster.com': ]  
MapR credentials of user 'root' for cluster 'fips0.cluster.com' are written to '/tmp/maprticket_0' 
# hadoop fs -ls / 
Found 5 items 
drwxr-xr-x   - mapr mapr      3 2021-08-19 17:11 /apps 
drwxr-xr-x   - mapr mapr      0 2021-08-19 17:13 /opt 
drwxrwxrwx   - mapr mapr      0 2021-08-19 17:10 /tmp 
drwxr-xr-x   - mapr mapr      1 2021-08-19 17:14 /user 
drwxr-xr-x   - mapr mapr      2 2021-08-19 17:14 /var 
If your client is connecting to multiple clusters, use the hadoop fs -ls maprfs://<clustername>/ command to verify your configuration. For example:
# hadoop fs -ls maprfs://fips0.cluster.com/ 
Found 5 items 
drwxr-xr-x   - mapr mapr   3 2021-08-30 09:23 maprfs://fips0.cluster.com/apps 
drwxr-xr-x   - mapr mapr   0 2021-08-30 09:25 maprfs://fips0.cluster.com/opt 
drwxrwxrwx   - mapr mapr   0 2021-08-30 09:22 maprfs://fips0.cluster.com/tmp 
drwxr-xr-x   - mapr mapr   1 2021-08-30 09:26 maprfs://fips0.cluster.com/user 
drwxr-xr-x   - mapr mapr   2 2021-08-30 09:26 maprfs://fips0.cluster.com/var