Installing the Data Fabric Client (FIPS)

This section describes how to prepare the client machine for the installation process in a FIPS environment.

In a FIPS or mixed FIPS/non-FIPs environment, special procedures are required to configure clients. If your environment is non-FIPS, see Installing the Data Fabric Client (Non-FIPS).

Release 7.0.0 of the HPE Ezmeral Data Fabric introduced the use of the FIPS-approved BCFKS store type. Non-FIPS secure installations continue to use the JKS and PKCS#12 store types, so this results in some changes in the client-installation procedure to connect a secure non-FIPS-enabled cluster to a FIPS-enabled cluster. The protection of key and trust store passwords using the Hadoop Credential Provider API also necessitates changes in the client-installation procedure.

Preparing and Installing the Data Fabric Client on RHEL 8.x

The steps for preparing to install the client in a FIPS environment are the same as the steps documented for a non-FIPS environment. See Installing the Data Fabric Client (Non-FIPS).

The first three steps in the client-installation procedure remain the same as the steps documented in Installing the Data Fabric Client on Red Hat and Oracle Linux (Non-FIPS):
  1. Remove any previous data-fabric software. You can use rpm -qa | grep mapr to get a list of installed data-fabric packages, then type the packages separated by spaces after the rpm -e command. For example:

    rpm -qa | grep mapr
    rpm -e mapr-fileserver mapr-core
  2. Install the data-fabric package key. The package key must be installed before you can install data-fabric packages. For more information, see Step 2: Import the Package Key:
    IMPORTANT
    To access the Data Fabric internet repository, you must specify the email and token of an HPE Passport account. For more information, see Using the HPE Ezmeral Token-Authenticated Internet Repository.
    wget --user=<email> --password=<token> -O /tmp/maprgpg.key -q https://package.ezmeral.hpe.com/releases/pub/maprgpg.key && rpm --import /tmp/maprgpg.key
  3. Install the client. For example:

    yum install mapr-client

Configuring the Secure Data Fabric Client

After installation, the next step is different depending on whether the secure cluster that the client is connecting to is FIPS-enabled or not. In this definition, server refers to the FIPS-enabled host from which the trust stores are copied. A FIPS-enabled installation always implies a secure installation. Different configuration procedures are needed, depending on whether the server and client are FIPS-enabled. Possible scenarios are:
  • Both server and client are FIPS-enabled.
  • Client is secure but not FIPS-enabled, but server is FIPS-enabled.
  • Client is FIPS-enabled, and server is secure but not FIPS-enabled.
  • Both server and client are secure but not FIPS-enabled.

In all four scenarios, the procedure is different depending on whether the client is connecting to the first cluster or to subsequent clusters. Sub-topics in this section outline the steps for each of the combinations. In all cases, after copying the files from the server and performing any needed post-copy steps, you must run the ${MAPR_HOME/server/configure.sh command with the -c (client configuration) option.

The general syntax is the same as described in Installing the Data Fabric Client on Red Hat and Oracle Linux (Non-FIPS):
# /opt/mapr/server/configure.sh -secure -N <cluster-name> -c \
    -C <CLDB1>:<CLDB1-port>[,[CLDB2>:<CLDB1-port>,...] \
    -HS <history server node> 
For example, if your cluster name is fips0, fips1, and fips2, and your CLDB nodes are node1, node2, and node3, and your History Server node is node2, then the command would be:
# /opt/mapr/server/configure.sh -secure -N fips0.cluster.com -c \
    -C node1:7222,node2:7222,node3:7222 -HS node2
The following sub-topics summarize the steps to connect to different combinations of FIPS-enabled and non-FIPS-enabled server and client nodes.