Configuring a Secure Non-FIPS-Enabled Client for a FIPS-Enabled Server

Describes client configuration when the client is non-FIPS and the server is FIPS.

Non-FIPS enabled nodes do not support the BCFKS trust store format. Therefore, copying the BCFKS trust store from server to client does not work. You need to create the JKS trust store on the non-FIPS client by importing the same certificates that are in the BCFKS trust store on the FIPS-enabled server host. Different configuration procedures apply depending on whether you are configuring for the first cluster or for subsequent clusters.

Configuring the First Cluster

Use the following steps to configure a secure non-FIPS-enabled client to a FIPS-enabled server for the first cluster:
  1. Copy the ${MAPR_HOME}/conf/ssl_truststore.bcfks from the FIPS-enabled server to a temporary directory of the secure non-FIPS enabled client.
  2. Run the manageSSLKeys.sh convert utility to convert the trust store from BCFKS format to JKS format. The destination trust store will be set to the same password as the source trust store. For example:
    /opt/mapr/server/manageSSLKeys.sh convert \
        -srcType bcfks -dstType JKS \
        -p 1IB_wtxT5Lbj6OU8xFpWpQiZ0SjE6BrA \
        /tmp/ssl_truststore.bcfks /opt/mapr/conf/ssl_truststore
  3. On the secure non-FIPS enabled client, run the configure.sh script with the -c option, using the -storepasswds option to specify the trust store password, but without the key store password. Since the converted trust store is set to the same password as the source, the password must be the same as the one you specified using the -p option in Step 2. For example:
    /opt/mapr/server/configure.sh -secure -N hpe186.cluster.com -C m2-mapreng-vm167186:7222 -Z m2-mapreng-vm167186:5181 -c -storepasswds :1IB_wtxT5Lbj6OU8xFpWpQiZ0SjE6BrA

Configuring for Subsequent Clusters

If your secure non-FIPS enabled client is connecting to the second or subsequent clusters where the nodes are FIPS-enabled, you cannot use the procedure described for the FIPS client to FIPS server to merge the trust store contents from these clusters to your existing trust store, since the trust store type is different. You need to use the keytool utility to merge the trust stores. Use the following steps:
  1. Copy the trust store from the FIPS server to the current node. For example:
    # scp root@fips0:/opt/mapr/conf/ssl_truststore.bcfks /tmp/.
  2. Run the keytool command to import the contents of the BCFKS trust store into the JKS trust store. You need the passwords for the BCFKS trust store on the remote node as well as the JKS trust store on the local node that you are importing to. For example:
    # keytool -importkeystore -srckeystore ssl_truststore.bcfks \
    -srcstorepass SPCs12NrH10F1tqD8p3C1_6r1vHB9AIx \
    -srcstoretype bcfks \
    -destkeystore /tmp/ssl_truststore \
    -deststorepass j01Z8SdPV_r3N8bOnV1hzRwzCC_w8x4C \
    -deststoretype jks \
    -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
    -providerpath /opt/mapr/lib/bc-fips-1.0.2.1.jar \
    -srcprovidername BCFIPS
    Importing keystore ssl_truststore.bcfks to ssl_truststore...
    Entry for alias fips0.cluster.com-root-signing-ca successfully imported.
    Entry for alias fips0.cluster.com-root-ca-chain successfully imported.
    Entry for alias fips0.cluster.com successfully imported.
    Import command completed:  3 entries successfully imported, 0 entries failed or cancelled
  3. 3. Run the configure.sh command. For example:
    # /opt/mapr/server/configure.sh -secure -N hpe186.cluster.com -c -C m2-mapreng-vm166186:7222