Configuring a FIPS-Enabled Client for a FIPS-Enabled Server

Describes client configuration when the client is FIPS and the server is FIPS.

Configuration for the First Cluster

To connect the FIPS-enabled client to a FIPS-enabled server for the first cluster, copy the following files from the FIPS-enabled server to the client:
  • ${MAPR_HOME}/conf/ssl_truststore.bcfks
  • ${MAPR_HOME}/conf/maprtrustcreds.bcfks
Then, run the configure.sh script with the -c (client only) option. For example, if the cluster name is fips0.cluster.com and the CLDB and Zookeeper nodes are at m2-mapreng-vm166250, then the command might be as follows:
/opt/mapr/server/configure.sh -secure -N fips0.cluster.com -c \
    -C m2-mapreng-vm166250:7222
The ${MAPR_HOME}/server/configure.sh script makes the following changes:
  • The ${MAPR_HOME}/conf/mapr-clusters.conf is set to the specified cluster name and CLDB hosts.
  • The symbolic link ${MAPR_HOME}/conf/ssl_truststore is created to point to ${MAPR_HOME}/conf/ssl_truststore.bcfks:
    # ls -l ssl_truststore 
lrwxrwxrwx 1 root root 35 Aug 17 16:52 ssl_truststore -> /opt/mapr/conf/ssl_truststore.bcfks
  • • The ${MAPR_HOME}/hadoop/hadoop-${HADOOP_VERSION}/etc/hadoop/ssl-client.xml is updated to have the same contents at the server; that is:
    • All password properties are removed.
    • The trust store type is set to bcfks.
  • The ${MAPR_HOME}/hadoop/hadoop-${HADOOP_VERSION}/etc/hadoop/core-site.xml is updated with the hadoop.security.credential.provider.path property with the provider path set to localbcfks://file/opt/mapr/conf/maprtrustcreds.bcfks. This enables commands such as hadoop credential list to work without specifying the provider path. This also allows the Hadoop Configuration.getPassword() API used by various components to retrieve the trust store credentials to work.

Configuration for Subsequent Clusters

If your client is connecting to a second or subsequent clusters, you need to merge the trust store contents from these clusters to your existing trust store. There are two ways to perform the configuration:
  • Merge the trust stores: Copy the trust store from the FIPS-enabled server to the client, then merge the trust stores using the manageSSLKeys.sh merge command. Then, run the configure.sh command. In this method, you only need to copy a single trust store, but you need to specify the trust store password for the cluster you want to connect to at the client to complete the configuration.
  • Import certificates: Copy the root CA and server certificates from the FIPS-enabled server to the client, then use the manageSSLKeys.sh import command to import the certificates to the existing client trust store. Then, run the configure.sh command. In this method, you need to copy multiple certificates, but you do not need the trust store password for the cluster you are connecting to.
The following sections describe these configuration methods:

Configuration by Merging Trust Stores

This is the first method described at the beginning of this section, where we copy the trust store from the FIPS-enabled server to the FIPS-enabled client and then merge the trust stores. Use these steps:
  1. Copy the ${MAPR_HOME}/conf/ssl_truststore.bcfks from the FIPS-enabled server node to some directory, such as /tmp.
  2. Use the merge option in manageSSLKeys.sh to merge the trust stores. The command syntax is as follows. At least the first and second parameters are required:
    /opt/mapr/server/manageSSLKeys.sh merge \
    <from-trust> <to-trust> <from-password> <to-password>
    The following table describes each parameter:
    Parameter Description
    from-trust Full or relative path to the source trust store from which the certificates are retrieved. This is the trust store that is copied from the FIPS-enabled server in Step 1. This parameter is required.
    to-trust Full or relative path to the destination trust store which will contain the merged certificates. In this case, where you are configuring a connection to a second or subsequent cluster, this is the trust store in ${MAPR_HOME}/conf. This parameter is required.
    from-password Password for the source trust store from-trust. You need to obtain the trust store password from the store-passwords.txt file in the FIPS-enabled server node that was created after a fresh installation. This parameter is optional. If not specified, it defaults to mapr123.
    to-password Password for the destination trust store to-trust. This is the password for the existing trust store on the client node. If not specified, it defaults to mapr123.
    For example:
    # /opt/mapr/server/manageSSLKeys.sh merge \
  /tmp/ssl_truststore.bcfks \
  /opt/mapr/conf/ssl_truststore.bcfks \
  qoaY9_ZkZkh8mOy_Fr2W50vaduhgAC72 \
  mapr123
Merging certificates from /tmp/ssl_truststore.bcfks into existing /opt/mapr/conf/ssl_truststore.bcfks
# keytool -list -keystore /opt/mapr/conf/ssl_truststore.bcfks \
 -storepass mapr123 -storetype bcfks \
 -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
 -providerpath /opt/mapr/lib/bc-fips-1.0.2.1.jar \
 -providername BCFIPS
Keystore type: BCFKS
Keystore provider: BCFIPS
 
Your keystore contains 4 entries
 
fips2.cluster.com, Sep 2, 2021, trustedCertEntry, 
Certificate fingerprint (SHA-256): 33:6D:A3:FC:E8:71:A7:E8:45:86:CB:83:58:47:18:7E:D6:E8:98:FC:2B:7A:C7:D4:B1:AA:6E:94:A5:FC:71:44
fips2.cluster.com-root-ca-chain, Sep 2, 2021, trustedCertEntry, 
Certificate fingerprint (SHA-256): 05:41:E8:51:96:E7:7B:E8:B5:08:E8:CA:69:55:3A:F5:45:B5:87:77:18:05:27:70:10:6E:82:B6:CE:4B:05:92
hpe186.cluster.com, Aug 31, 2021, trustedCertEntry, 
Certificate fingerprint (SHA-256): F6:BB:33:2A:98:52:4A:BE:AE:3F:21:90:1B:2A:09:19:17:9C:51:D5:09:FB:52:12:ED:43:D2:AC:D7:D0:0B:55
hpe186.cluster.com-root-ca-chain, Aug 31, 2021, trustedCertEntry, 
Certificate fingerprint (SHA-256): 40:7A:B9:75:E1:A9:43:E0:A5:FD:9F:DE:3D:A3:B5:C3:7B:7E:55:4E:72:65:06:D5:50:FE:00:E6:84:C8:37:16
  3. Run configure.sh with the -c (client only) option:
    root@m2-mapreng-vm166251 ~]# /opt/mapr/server/configure.sh -secure -N fips2.cluster.com -c -C m2-mapreng-vm166252:7222
CLDB node list: m2-mapreng-vm166252:7222
Zookeeper node list: 
External Zookeeper node list: 
As cluster provided as input: fips2.cluster.com is not current cluster. Only /opt/mapr/conf/mapr-clusters.conf will be updated
  4. Verify your configuration:
    # cat /opt/mapr/conf/mapr-clusters.conf 
hpe186.cluster.com secure=true m2-mapreng-vm167186:7222
fips2.cluster.com secure=true m2-mapreng-vm166252:7222
# maprlogin password -cluster fips2.cluster.com
[Password for user 'root' at cluster 'fips2.cluster.com': ] 
MapR credentials of user 'root' for cluster 'fips2.cluster.com' are written to '/tmp/maprticket_0'
# hadoop fs -ls maprfs://fips2.cluster.com/
Found 5 items
drwxr-xr-x   - mapr mapr          3 2021-09-02 17:02 maprfs://fips2.cluster.com/apps
drwxr-xr-x   - mapr mapr          0 2021-09-02 17:04 maprfs://fips2.cluster.com/opt
drwxrwxrwx   - mapr mapr          0 2021-09-02 17:02 maprfs://fips2.cluster.com/tmp
drwxr-xr-x   - mapr mapr          1 2021-09-02 17:05 maprfs://fips2.cluster.com/user
drwxr-xr-x   - mapr mapr          2 2021-09-02 17:05 maprfs://fips2.cluster.com/var

Configuration by Importing Certificates

This section describes the steps to configure the Ezmeral Data Fabric client by importing certificates from the server:
  1. Copy the following files from the cluster that the client wants to connect from ${MAPR_HOME}/conf on the server to a temporary directory, retaining the same directory structure:
    • The server certificate ssl_keystore-signed.pem
    • The root CA certificate in ca/root-ca.pem.
    For example, on the FIPS-enabled client:
    [root@m2-mapreng-vm166251 ~]# cd /tmp
[root@m2-mapreng-vm166251 ~]# mkdir -p fips0/ca
[root@m2-mapreng-vm166251 tmp]# cd /tmp/fips0
[root@m2-mapreng-vm166251 fips0]# scp root@fips0:/opt/mapr/conf/ssl_keystore-signed.pem .
ssl_keystore-signed.pem                       100% 1261     1.6MB/s   00:00    
[root@m2-mapreng-vm166251 fips0]# scp root@fips0:/opt/mapr/conf/ca/root-ca.pem ca/.
root-ca.pem                                   100% 1062     1.3MB/s   00:00    
[root@m2-mapreng-vm166251 fips0]# find . -print
.
./ca
./ca/root-ca.pem
./ssl_keystore-signed.pem
  2. Run the manageSSLKeys.sh utility with the importcertstotruststore option to import the certificates to the trust store. The parameters are as follows:
    Parameter Description
    -N <cluster- name> The name of the cluster to which the client wants to connect.
    -p <password> Password for the client's trust store.
    -c <path-to-certs> Full or relative path name to the directory containing the certificates to be imported.
    For example:
    [root@m2-mapreng-vm166251 fips0]# /opt/mapr/server/manageSSLKeys.sh importcertstotruststore -N fips0.cluster.com -p mapr123 -c /tmp/fips0
Adding root CA to trust store
  3. Verify that the certificates have been successfully imported into the trust store. There should be two new aliases in the trust store for the new fips0.cluster.com cluster. For example:
    # keytool -list \
-keystore /opt/mapr/conf/ssl_truststore.bcfks -storepass mapr123 \
-storetype bcfks \
-provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
-providerpath /opt/mapr/lib/bc-fips-1.0.2.1.jar \
-providername BCFIPS
Keystore type: BCFKS
Keystore provider: BCFIPS
 
Your keystore contains 6 entries
 
fips0.cluster.com, Sep 3, 2021, trustedCertEntry, 
Certificate fingerprint (SHA-256): BF:2D:B2:13:00:7E:46:E8:8F:AF:5B:50:2B:27:4A:59:30:D1:A0:94:18:EA:1F:55:E4:B0:65:1F:2C:2F:B6:2C
fips0.cluster.com-root-ca-chain, Sep 3, 2021, trustedCertEntry, 
Certificate fingerprint (SHA-256): E8:EB:A3:16:4F:5F:B8:6C:FB:5E:0B:A7:FC:2B:F3:96:32:A8:2D:3D:79:46:4F:2B:7F:D2:DE:BE:4E:F9:F5:B0
fips2.cluster.com, Sep 2, 2021, trustedCertEntry, 
Certificate fingerprint (SHA-256): 33:6D:A3:FC:E8:71:A7:E8:45:86:CB:83:58:47:18:7E:D6:E8:98:FC:2B:7A:C7:D4:B1:AA:6E:94:A5:FC:71:44
fips2.cluster.com-root-ca-chain, Sep 2, 2021, trustedCertEntry, 
Certificate fingerprint (SHA-256): 05:41:E8:51:96:E7:7B:E8:B5:08:E8:CA:69:55:3A:F5:45:B5:87:77:18:05:27:70:10:6E:82:B6:CE:4B:05:92
hpe186.cluster.com, Aug 31, 2021, trustedCertEntry, 
Certificate fingerprint (SHA-256): F6:BB:33:2A:98:52:4A:BE:AE:3F:21:90:1B:2A:09:19:17:9C:51:D5:09:FB:52:12:ED:43:D2:AC:D7:D0:0B:55
hpe186.cluster.com-root-ca-chain, Aug 31, 2021, trustedCertEntry, 
Certificate fingerprint (SHA-256): 40:7A:B9:75:E1:A9:43:E0:A5:FD:9F:DE:3D:A3:B5:C3:7B:7E:55:4E:72:65:06:D5:50:FE:00:E6:84:C8:37:16
  4. Run configure.sh with the -c option. For example:
    # /opt/mapr/server/configure.sh -secure -N fips0.cluster.com \
-c -C m2-mapreng-vm166250:7222
CLDB node list: m2-mapreng-vm166250:7222
Zookeeper node list: 
External Zookeeper node list: 
As cluster provided as input: fips0.cluster.com is not current cluster. Only /opt/mapr/conf/mapr-clusters.conf will be updated
  5. Remove the temporary directory containing the certificates. This is no longer needed since the certificates have been imported to the trust store:
    # rm -rf /tmp/fips0
  6. Verify your configuration in the same way as in the previous section:
    # cat /opt/mapr/conf/mapr-clusters.conf 
hpe186.cluster.com secure=true m2-mapreng-vm167186:7222
fips2.cluster.com secure=true m2-mapreng-vm166252:7222
fips0.cluster.com secure=true m2-mapreng-vm166250:7222
# maprlogin password -cluster fips0.cluster.com
[Password for user 'root' at cluster 'fips0.cluster.com': ] 
MapR credentials of user 'root' for cluster 'fips0.cluster.com' are written to '/tmp/maprticket_0'
# hadoop fs -ls maprfs://fips0.cluster.com/
Found 5 items
drwxr-xr-x  - mapr mapr  3 2021-08-30 09:23 maprfs://fips0.cluster.com/apps
drwxr-xr-x  - mapr mapr  0 2021-08-30 09:25 maprfs://fips0.cluster.com/opt
drwxrwxrwx  - mapr mapr  0 2021-08-30 09:22 maprfs://fips0.cluster.com/tmp
drwxr-xr-x  - mapr mapr  1 2021-08-30 09:26 maprfs://fips0.cluster.com/user
drwxr-xr-x  - mapr mapr  2 2021-08-30 09:26 maprfs://fips0.cluster.com/var