Verifying the Client Configuration
Describes how to verify that clients installed in a FIPS or mixed FIPS/non-FIPS environment are configured correctly.
After running any pre-configuration steps and the configure.sh
script with
the -c
(client only) option, your client should be successfully configured.
The final step is to verify your client configuration. Most of these steps are the same as
verification steps for release 6.2.0 and earlier client installations. An added step for FIPS
clients is to verify the existence and functionality of the Hadoop Credential Provider store,
in order to protect your trust store passwords.
Verifying the Trust Store Configuration
On FIPS-enabled clients, you can run the
keytool -list -keystore
command
to view the entries in the trust
store:[root@m2-mapreng-vm166251 ~]# keytool -list -keystore /opt/mapr/conf/ssl_truststore.bcfks -storepass mapr123 -storetype bcfks -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /opt/mapr/lib/bc-fips-1.0.2.1.jar -providername BCFIPS
Keystore type: BCFKS
Keystore provider: BCFIPS
Your keystore contains 4 entries
fips2.cluster.com, Sep 2, 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): 33:6D:A3:FC:E8:71:A7:E8:45:86:CB:83:58:47:18:7E:D6:E8:98:FC:2B:7A:C7:D4:B1:AA:6E:94:A5:FC:71:44
fips2.cluster.com-root-ca-chain, Sep 2, 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): 05:41:E8:51:96:E7:7B:E8:B5:08:E8:CA:69:55:3A:F5:45:B5:87:77:18:05:27:70:10:6E:82:B6:CE:4B:05:92
hpe186.cluster.com, Aug 31, 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): F6:BB:33:2A:98:52:4A:BE:AE:3F:21:90:1B:2A:09:19:17:9C:51:D5:09:FB:52:12:ED:43:D2:AC:D7:D0:0B:55
hpe186.cluster.com-root-ca-chain, Aug 31, 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): 40:7A:B9:75:E1:A9:43:E0:A5:FD:9F:DE:3D:A3:B5:C3:7B:7E:55:4E:72:65:06:D5:50:FE:00:E6:84:C8:37:16
Verifying the Hadoop Credential Provider Store
Beginning with release 7.0.0, passwords from
ssl-client.xml
are now stored
in the Hadoop Credential Provider Store in
${MAPR_HOME}/conf/maprtrustcreds.bcfks
(for FIPS-enabled nodes) and
${MAPR_HOME}/conf/maprtrustcreds.jceks
(for secure non-FIPS nodes). You
should also verify that the Hadoop Credential Provider trust store is correctly configured.
The hadoop credential list command for a client node should only contain a single entry for
the password for the ssl.client.truststore.password
property:
# hadoop credential list
Listing aliases for CredentialProvider: localbcfks://file/opt/mapr/conf/maprtrustcreds.bcfks
ssl.client.truststore.password
Verifying Server Connectivity
You should also perform the regular verifications to confirm server connectivity to ensure
that you can successfully obtain a Data Fabric ticket using
maprlogin
and execute Hadoop commands, for
example:# maprlogin password
[Password for user 'root' at cluster 'fips0.cluster.com': ]
MapR credentials of user 'root' for cluster 'fips0.cluster.com' are written to '/tmp/maprticket_0'
# hadoop fs -ls /
Found 5 items
drwxr-xr-x - mapr mapr 3 2021-08-19 17:11 /apps
drwxr-xr-x - mapr mapr 0 2021-08-19 17:13 /opt
drwxrwxrwx - mapr mapr 0 2021-08-19 17:10 /tmp
drwxr-xr-x - mapr mapr 1 2021-08-19 17:14 /user
drwxr-xr-x - mapr mapr 2 2021-08-19 17:14 /var
If your client is
connecting to multiple clusters, use the hadoop fs -ls
maprfs://<clustername>/
command to verify your configuration. For example:
# hadoop fs -ls maprfs://fips0.cluster.com/
Found 5 items
drwxr-xr-x - mapr mapr 3 2021-08-30 09:23 maprfs://fips0.cluster.com/apps
drwxr-xr-x - mapr mapr 0 2021-08-30 09:25 maprfs://fips0.cluster.com/opt
drwxrwxrwx - mapr mapr 0 2021-08-30 09:22 maprfs://fips0.cluster.com/tmp
drwxr-xr-x - mapr mapr 1 2021-08-30 09:26 maprfs://fips0.cluster.com/user
drwxr-xr-x - mapr mapr 2 2021-08-30 09:26 maprfs://fips0.cluster.com/var