Configuring Cross-Cluster Security for a Mixed (FIPS and Non-FIPS) Configuration
Describes how to configure cross-cluster security when the clusters include FIPS and non-FIPS-enabled nodes.
The configure-crosscluster.sh
script does not support mixed configurations
consisting of FIPS and non-FIPS-enabled nodes. However, you can use manual steps to enable
cross-cluster security in this scenario.
The following is an example for configuring mixed clusters consisting of a combination of
FIPS-enabled and secure non-FIPS-enabled nodes. Suppose you have a five-node local cluster,
and three of the nodes are FIPS-enabled nodes:
- AF1.example.com (CLDB)
- AF2.example.com (CLDB)
- AF3.example.com (CLDB)
Suppose the other two nodes are secure non-FIPS nodes:
- AS4.example.com
- AS5.example.com
In addition, suppose the remote cluster is a five-node cluster, and three of the nodes are
FIPS-enabled nodes:
- BF1.example.com (CLDB)
- BF2.example.com (CLDB)
- BF3.example.com (CLDB)
Suppose the other two nodes in the remote cluster are secure non-FIPS nodes:
- BS4.example.com
- BS5.example.com
You can use the following steps to configure cross-cluster security:
- Run the
configure-crosscluster.sh
script on the FIPS-enabled CLDB nodes:$ cat localhostsfile AF1.example.com AF2.example.com AF3.example.com $ cat remotehostsfile BF1.example.com BF2.example.com BF3.example.com $ /opt/mapr/server/configure-crosscluster.sh create all \ -localtruststorepassword localtrustpass \ -remotetruststorepassword remotetrustpass \ -localhosts localhostfile \ -remotehosts remotehostsfile
- Copy the
/opt/mapr/conf/ssl_truststore.bcfks
to a temporary location of the first non-FIPS node in the local cluster (AF4.example.com in the example). Then use themanageSSLKeys.sh convert
utility to convert the updated local trust store from BCFKS to JKS format. After confirming that the conversion is successful, copy the trust store to/opt/mapr/conf
. For example:$ /opt/mapr/server/manageSSLKeys.sh convert \ -p localtrustpass -srcType bcfks -dstType JKS \ /opt/mapr/conf/ssl_truststore.bcfks /tmp/ssl_truststore $ cp /tmp/ssl_truststore /opt/mapr/conf/.
- Copy the the
mapr-clusters.conf
andmaprserverticket
(forall
orserver
mode) from the local FIPS node (AF1.example.com) to the secure non-FIPS node of the local cluster (AF4.example.com). For example, on AF1.example.com:$ cd /opt/mapr/conf $ scp mapr-clusters.conf \ mapr@AS4.example.com:/opt/mapr/conf/mapr-clusters.conf $ scp maprserverticket \ mapr@AS4.example.com:/opt/mapr/conf/maprserverticket
- Use
pscp
to copy thessl_truststore
,mapr-clusters.conf,
andmaprserverticket
to all the other secure non-FIPS nodes in the cluster. - Repeat steps 2 and 3 for the non-FIPS hosts in the remote cluster, starting with the
first non-FIPS remote node (BF4.example.com):
- On BF4.example.com, use the
manageSSLKeys.sh convert
utility to convert the updated remote trust store from BCFKS to JKs format, and copy it to/opt/mapr/conf
. - Copy the
mapr-cluster.conf
andmaprticket
files from the remote FIPS node (BF1.example.com) to all the non-FIPS nodes in the remote cluster (BF4.example.com and BF5.example.com).
- On BF4.example.com, use the