Cloudera Docs

Using FIPS with Cloudera products

This topic explains the integration of FIPS with Cloudera products.

Cloudera has integrated these FIPS-validated libraries with Cloudera Base on premises through installation and runtime configuration of the Cloudera Base on premises. You must install the SafeLogic CryptoComply modules on the applicable operating system, configured in FIPS mode, and then configure CDP Private Cloud Base to use these modules in a FIPS-compliant manner.

Beginning with version 7.1.5, Cloudera Base on premises is capable of running in a FIPS-compliant mode. Cloudera currently supports a subset of platform components and features running on a FIPS-compliant operating system. Cloudera does not guarantee that the platform components themselves are FIPS 140-2 compliant. However, future releases of Cloudera Base on premises will replace non-compliant platform components and features with fully compliant FIPS 140-2 implementations.

Given that the use of Cloudera Base on premises security features within regulated government environments is commonplace, these features should be configurable to be compliant with the FIPS 140-2 standard, as well as the applicable government security compliance and accreditation mandate or framework. This typically includes the use of FIPS-approved keystores and algorithms with FIPS 140-2 validated cryptographic modules, strong authentication, authorization, audit, data governance, in-transient data encryption, and at-rest data encryption features. Cloudera recommends the use of the following components as described in the installation documentation:

  • Encryption in-motion using TLS (Auto-TLS support).

  • Encryption at-rest with HDFS Transparent Data Encryption (TDE), Ranger KMS, and Key Trustee Server as the backend keystore.

  • Strong authentication with Kerberos and Apache Knox.

  • Authorization, audit, and data governance with Apache Ranger and Apache Atlas.

Cloudera Base on premises with FIPS-compliant mode can only be configured during new cluster installations. Converting an existing Cloudera Base on premises cluster from non-FIPS mode to FIPS-compliant mode is not supported. However, FIPS-enabled Cloudera Base on premises clusters can be upgraded between versions, provided both the source and target versions support FIPS. Before upgrading, verify FIPS support for the target Cloudera Base on premises and Cloudera Manager versions using the Cloudera support matrix.

Cloudera is not responsible for providing instructions for enabling FIPS mode on a RHEL or CentOS-based operating system, or instructions on configuring the required external databases in a FIPS 140-2 compliant manner. Please consult the vendor documentation for your database for details.

The supported platform components and features and all limitations with this release are documented in the Understanding the Prerequisites section.

In summary, the ability to run Cloudera Base on premises in a FIPS 140-2 compliant mode allows Cloudera Base on premises FIPS platform customers to improve conformance with their compliance and accreditation standards within their information systems.