Security Files and Subdirectories

This section describes new security files and subdirectories added for release 7.0.0 to support FIPS compliance.

To support FIPS compliance and other security enhancements, release 7.0.0 added some new security files and subdirectories that must be copied during installation.

Files to Copy When All Nodes Are FIPS Compliant or All Nodes Are Non-FIPS Compliant

A manual installation of the HPE Ezmeral Data Fabric involves running configure.sh with the -genkeys option on the primary CLDB node and then copying various files to the $[MAPR_HOME]/conf directory on all other nodes. After copying the files from the first CLDB node, you must run the configure.sh command with the same parameters as the first CLDB node but without the -genkeys option.

The following table shows the files and subdirectories that must be copied:

Table 1. All Nodes Are FIPS Compliant or All Nodes Are Non-FIPS Compliant
Destination Node Type These Files and Subdirectories Must Be Copied
CLDB and/or ZooKeeper Nodes
  • conf/ssl_keystore.bcfks1
  • conf/ssl_keystore.p121
  • conf/ssl_keystore.pem1
  • conf/maprkeycreds.*
  • conf/maprtrustcreds.*
  • conf/maprhsm.conf
  • conf/maprserverticket
  • hadoop/hadoop-2.7.6/etc/hadoop/ssl*.xml
  • conf/tokens (use scp -r to copy everything in this folder)
All other cluster nodes, including MFS-only nodes
  • conf/ssl_keystore.bcfks1
  • conf/ssl_keystore.p121
  • conf/ssl_keystore.pem1
  • conf/maprkeycreds.*
  • conf/maprtrustcreds.*
  • conf/maprhsm.conf
  • conf/maprserverticket
  • hadoop/hadoop-2.7.6/etc/hadoop/ssl*.xml
Client nodes
  • conf/ssl_truststore*
  • conf/maprtrustcreds.*
1Do NOT copy the ssl_ symlink files contained in the conf/ directory. The symlinks are:
  • ssl_keystore (symlink)
  • ssl_truststore (symlink)
  • ssl_userkeystore (symlink)
  • ssl_usertruststore (symlink)

For the steps to enable security, see Enabling Security. For more information about key store and trust store files, see Understanding the Key Store and Trust Store Files.