Configuring a FIPS-Enabled Client for a FIPS-Enabled Server
Describes client configuration when the client is FIPS and the server is FIPS.
Configuration for the First Cluster
To connect the FIPS-enabled client to a FIPS-enabled server for the first cluster, copy the
following files from the FIPS-enabled server to the client:
${MAPR_HOME}/conf/ssl_truststore.bcfks
${MAPR_HOME}/conf/maprtrustcreds.bcfks
Then, run the
configure.sh
script with the -c
(client
only) option. For example, if the cluster name is fips0.cluster.com
and the
CLDB and Zookeeper nodes are at m2-mapreng-vm166250
, then the command might
be as follows:/opt/mapr/server/configure.sh -secure -N fips0.cluster.com -c \
-C m2-mapreng-vm166250:7222
The
${MAPR_HOME}/server/configure.sh
script makes the following
changes:- The
${MAPR_HOME}/conf/mapr-clusters.conf
is set to the specified cluster name and CLDB hosts. - The symbolic link
${MAPR_HOME}/conf/ssl_truststore
is created to point to${MAPR_HOME}/conf/ssl_truststore.bcfks
:# ls -l ssl_truststore lrwxrwxrwx 1 root root 35 Aug 17 16:52 ssl_truststore -> /opt/mapr/conf/ssl_truststore.bcfks
- • The
${MAPR_HOME}/hadoop/hadoop-${HADOOP_VERSION}/etc/hadoop/ssl-client.xml
is updated to have the same contents at the server; that is:- All password properties are removed.
- The trust store type is set to
bcfks
.
- The
${MAPR_HOME}/hadoop/hadoop-${HADOOP_VERSION}/etc/hadoop/core-site.xml
is updated with thehadoop.security.credential.provider.path
property with the provider path set tolocalbcfks://file/opt/mapr/conf/maprtrustcreds.bcfks
. This enables commands such ashadoop credential list
to work without specifying the provider path. This also allows the HadoopConfiguration.getPassword()
API used by various components to retrieve the trust store credentials to work.
Configuration for Subsequent Clusters
If your client is connecting to a second or subsequent clusters, you need to merge the
trust store contents from these clusters to your existing trust store. There are two ways to
perform the configuration:
- Merge the trust stores: Copy the trust store from the FIPS-enabled server to
the client, then merge the trust stores using the
manageSSLKeys.sh merge
command. Then, run theconfigure.sh
command. In this method, you only need to copy a single trust store, but you need to specify the trust store password for the cluster you want to connect to at the client to complete the configuration. - Import certificates: Copy the root CA and server certificates from the
FIPS-enabled server to the client, then use the
manageSSLKeys.sh import
command to import the certificates to the existing client trust store. Then, run theconfigure.sh
command. In this method, you need to copy multiple certificates, but you do not need the trust store password for the cluster you are connecting to.
Configuration by Merging Trust Stores
This is the first method described at the beginning of this section, where we copy the
trust store from the FIPS-enabled server to the FIPS-enabled client and then merge the trust
stores. Use these steps:
- Copy the
${MAPR_HOME}/conf/ssl_truststore.bcfks
from the FIPS-enabled server node to some directory, such as/tmp
. - Use the
merge
option inmanageSSLKeys.sh
to merge the trust stores. The command syntax is as follows. At least the first and second parameters are required:
The following table describes each parameter:/opt/mapr/server/manageSSLKeys.sh merge \ <from-trust> <to-trust> <from-password> <to-password>
For example:Parameter Description from-trust
Full or relative path to the source trust store from which the certificates are retrieved. This is the trust store that is copied from the FIPS-enabled server in Step 1. This parameter is required. to-trust
Full or relative path to the destination trust store which will contain the merged certificates. In this case, where you are configuring a connection to a second or subsequent cluster, this is the trust store in ${MAPR_HOME}/conf
. This parameter is required.from-password
Password for the source trust store from-trust
. You need to obtain the trust store password from thestore-passwords.txt
file in the FIPS-enabled server node that was created after a fresh installation. This parameter is optional. If not specified, it defaults tomapr123
.to-password
Password for the destination trust store to-trust
. This is the password for the existing trust store on the client node. If not specified, it defaults tomapr123
.# /opt/mapr/server/manageSSLKeys.sh merge \ /tmp/ssl_truststore.bcfks \ /opt/mapr/conf/ssl_truststore.bcfks \ qoaY9_ZkZkh8mOy_Fr2W50vaduhgAC72 \ mapr123 Merging certificates from /tmp/ssl_truststore.bcfks into existing /opt/mapr/conf/ssl_truststore.bcfks # keytool -list -keystore /opt/mapr/conf/ssl_truststore.bcfks \ -storepass mapr123 -storetype bcfks \ -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \ -providerpath /opt/mapr/lib/bc-fips-1.0.2.1.jar \ -providername BCFIPS Keystore type: BCFKS Keystore provider: BCFIPS Your keystore contains 4 entries fips2.cluster.com, Sep 2, 2021, trustedCertEntry, Certificate fingerprint (SHA-256): 33:6D:A3:FC:E8:71:A7:E8:45:86:CB:83:58:47:18:7E:D6:E8:98:FC:2B:7A:C7:D4:B1:AA:6E:94:A5:FC:71:44 fips2.cluster.com-root-ca-chain, Sep 2, 2021, trustedCertEntry, Certificate fingerprint (SHA-256): 05:41:E8:51:96:E7:7B:E8:B5:08:E8:CA:69:55:3A:F5:45:B5:87:77:18:05:27:70:10:6E:82:B6:CE:4B:05:92 hpe186.cluster.com, Aug 31, 2021, trustedCertEntry, Certificate fingerprint (SHA-256): F6:BB:33:2A:98:52:4A:BE:AE:3F:21:90:1B:2A:09:19:17:9C:51:D5:09:FB:52:12:ED:43:D2:AC:D7:D0:0B:55 hpe186.cluster.com-root-ca-chain, Aug 31, 2021, trustedCertEntry, Certificate fingerprint (SHA-256): 40:7A:B9:75:E1:A9:43:E0:A5:FD:9F:DE:3D:A3:B5:C3:7B:7E:55:4E:72:65:06:D5:50:FE:00:E6:84:C8:37:16
- Run
configure.sh
with the-c
(client only) option:root@m2-mapreng-vm166251 ~]# /opt/mapr/server/configure.sh -secure -N fips2.cluster.com -c -C m2-mapreng-vm166252:7222 CLDB node list: m2-mapreng-vm166252:7222 Zookeeper node list: External Zookeeper node list: As cluster provided as input: fips2.cluster.com is not current cluster. Only /opt/mapr/conf/mapr-clusters.conf will be updated
- Verify your configuration:
# cat /opt/mapr/conf/mapr-clusters.conf hpe186.cluster.com secure=true m2-mapreng-vm167186:7222 fips2.cluster.com secure=true m2-mapreng-vm166252:7222 # maprlogin password -cluster fips2.cluster.com [Password for user 'root' at cluster 'fips2.cluster.com': ] MapR credentials of user 'root' for cluster 'fips2.cluster.com' are written to '/tmp/maprticket_0' # hadoop fs -ls maprfs://fips2.cluster.com/ Found 5 items drwxr-xr-x - mapr mapr 3 2021-09-02 17:02 maprfs://fips2.cluster.com/apps drwxr-xr-x - mapr mapr 0 2021-09-02 17:04 maprfs://fips2.cluster.com/opt drwxrwxrwx - mapr mapr 0 2021-09-02 17:02 maprfs://fips2.cluster.com/tmp drwxr-xr-x - mapr mapr 1 2021-09-02 17:05 maprfs://fips2.cluster.com/user drwxr-xr-x - mapr mapr 2 2021-09-02 17:05 maprfs://fips2.cluster.com/var
Configuration by Importing Certificates
This section describes the steps to configure the Ezmeral Data Fabric client by importing
certificates from the server:
- Copy the following files from the cluster that the client wants to connect from
${MAPR_HOME}/conf
on the server to a temporary directory, retaining the same directory structure:- The server certificate
ssl_keystore-signed.pem
- The root CA certificate in
ca/root-ca.pem
.
[root@m2-mapreng-vm166251 ~]# cd /tmp [root@m2-mapreng-vm166251 ~]# mkdir -p fips0/ca [root@m2-mapreng-vm166251 tmp]# cd /tmp/fips0 [root@m2-mapreng-vm166251 fips0]# scp root@fips0:/opt/mapr/conf/ssl_keystore-signed.pem . ssl_keystore-signed.pem 100% 1261 1.6MB/s 00:00 [root@m2-mapreng-vm166251 fips0]# scp root@fips0:/opt/mapr/conf/ca/root-ca.pem ca/. root-ca.pem 100% 1062 1.3MB/s 00:00 [root@m2-mapreng-vm166251 fips0]# find . -print . ./ca ./ca/root-ca.pem ./ssl_keystore-signed.pem
- The server certificate
- Run the
manageSSLKeys.sh
utility with theimportcertstotruststore
option to import the certificates to the trust store. The parameters are as follows:
For example:Parameter Description -N <cluster- name>
The name of the cluster to which the client wants to connect. -p <password>
Password for the client's trust store. -c <path-to-certs>
Full or relative path name to the directory containing the certificates to be imported. [root@m2-mapreng-vm166251 fips0]# /opt/mapr/server/manageSSLKeys.sh importcertstotruststore -N fips0.cluster.com -p mapr123 -c /tmp/fips0 Adding root CA to trust store
- Verify that the certificates have been successfully imported into the trust store.
There should be two new aliases in the trust store for the new
fips0.cluster.com
cluster. For example:# keytool -list \ -keystore /opt/mapr/conf/ssl_truststore.bcfks -storepass mapr123 \ -storetype bcfks \ -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \ -providerpath /opt/mapr/lib/bc-fips-1.0.2.1.jar \ -providername BCFIPS Keystore type: BCFKS Keystore provider: BCFIPS Your keystore contains 6 entries fips0.cluster.com, Sep 3, 2021, trustedCertEntry, Certificate fingerprint (SHA-256): BF:2D:B2:13:00:7E:46:E8:8F:AF:5B:50:2B:27:4A:59:30:D1:A0:94:18:EA:1F:55:E4:B0:65:1F:2C:2F:B6:2C fips0.cluster.com-root-ca-chain, Sep 3, 2021, trustedCertEntry, Certificate fingerprint (SHA-256): E8:EB:A3:16:4F:5F:B8:6C:FB:5E:0B:A7:FC:2B:F3:96:32:A8:2D:3D:79:46:4F:2B:7F:D2:DE:BE:4E:F9:F5:B0 fips2.cluster.com, Sep 2, 2021, trustedCertEntry, Certificate fingerprint (SHA-256): 33:6D:A3:FC:E8:71:A7:E8:45:86:CB:83:58:47:18:7E:D6:E8:98:FC:2B:7A:C7:D4:B1:AA:6E:94:A5:FC:71:44 fips2.cluster.com-root-ca-chain, Sep 2, 2021, trustedCertEntry, Certificate fingerprint (SHA-256): 05:41:E8:51:96:E7:7B:E8:B5:08:E8:CA:69:55:3A:F5:45:B5:87:77:18:05:27:70:10:6E:82:B6:CE:4B:05:92 hpe186.cluster.com, Aug 31, 2021, trustedCertEntry, Certificate fingerprint (SHA-256): F6:BB:33:2A:98:52:4A:BE:AE:3F:21:90:1B:2A:09:19:17:9C:51:D5:09:FB:52:12:ED:43:D2:AC:D7:D0:0B:55 hpe186.cluster.com-root-ca-chain, Aug 31, 2021, trustedCertEntry, Certificate fingerprint (SHA-256): 40:7A:B9:75:E1:A9:43:E0:A5:FD:9F:DE:3D:A3:B5:C3:7B:7E:55:4E:72:65:06:D5:50:FE:00:E6:84:C8:37:16
- Run
configure.sh
with the-c
option. For example:# /opt/mapr/server/configure.sh -secure -N fips0.cluster.com \ -c -C m2-mapreng-vm166250:7222 CLDB node list: m2-mapreng-vm166250:7222 Zookeeper node list: External Zookeeper node list: As cluster provided as input: fips0.cluster.com is not current cluster. Only /opt/mapr/conf/mapr-clusters.conf will be updated
- Remove the temporary directory containing the certificates. This is no longer needed
since the certificates have been imported to the trust
store:
# rm -rf /tmp/fips0
- Verify your configuration in the same way as in the previous
section:
# cat /opt/mapr/conf/mapr-clusters.conf hpe186.cluster.com secure=true m2-mapreng-vm167186:7222 fips2.cluster.com secure=true m2-mapreng-vm166252:7222 fips0.cluster.com secure=true m2-mapreng-vm166250:7222 # maprlogin password -cluster fips0.cluster.com [Password for user 'root' at cluster 'fips0.cluster.com': ] MapR credentials of user 'root' for cluster 'fips0.cluster.com' are written to '/tmp/maprticket_0' # hadoop fs -ls maprfs://fips0.cluster.com/ Found 5 items drwxr-xr-x - mapr mapr 3 2021-08-30 09:23 maprfs://fips0.cluster.com/apps drwxr-xr-x - mapr mapr 0 2021-08-30 09:25 maprfs://fips0.cluster.com/opt drwxrwxrwx - mapr mapr 0 2021-08-30 09:22 maprfs://fips0.cluster.com/tmp drwxr-xr-x - mapr mapr 1 2021-08-30 09:26 maprfs://fips0.cluster.com/user drwxr-xr-x - mapr mapr 2 2021-08-30 09:26 maprfs://fips0.cluster.com/var