Step 1: Prepare hosts

Prepare the hosts for FIPS integration.

Cryptographic operations require entropy to ensure randomness.

Check the available entropy:

cat /proc/sys/kernel/random/entropy_avail must be always above 2k
- In order to keep the entropy high, install the following tools and keep them running:
  - rng-tools - For information about checking available entropy and using rng-tools, see Entropy Requirements in Data at Rest Encryption Requirements.
    1. sudo dnf install rng-tools
    2. sudo systemctl enable rngd
    3. sudo systemctl start rngd
  - haveged (available in the EPEL Repository) - For information about using the haveged entropy daemon, see the haveged documentation.
    1. sudo dnf install haveged
    2. sudo systemctl enable haveged
    3. sudo systemctl start haveged
note
Virtual Machines might have insufficient sources of entropy, which can cause extreme slowness of many Cloudera Manager and CDP operations even with rngd and haveged enabled. You might need to take the following additional hypervisor-level measures to provide enough entropy for strong cryptographic functions required for FIPS compliance:
- Ensure that the Hardware Random Number Generator (Hwrng) is enabled by setting disableHwrng to false
- Set different entropy sources if necessary
Configure the operating system for FIPS.
For RHEL 8, see: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#switching-the-system-to-fips-mode_using-the-system-wide-cryptographic-policies
On all hosts, run one of the following commands to verify that FIPS mode is enabled:
- ```
cat /proc/sys/crypto/fips_enabled
```
  Expected output:
```
crypto.fips_enabled = 1
```
  (1 indicates FIPS enabled)
- ```
sysctl crypto.fips_enabled
```
  Expected output:
```
crypto.fips_enabled = 1
```
  (1 indicates FIPS enabled)
Configure a repository to install Cloudera Manager and other required packages.
1. On the Cloudera Manager server host, download the repository file for your operating system and version:
```
https://[username]:[password]@archive.cloudera.com/p/cm7/7.11.3/redhat8/yum/cloudera-manager.repo
```
2. Open the /etc/yum.repos.d/cloudera-manager.repo file in a text editor and replace the changeme placeholder values with your user name and password.
```
[cloudera-manager]
name=Cloudera Manager 7.11.3
baseurl=https://archive.cloudera.com/p/cm7/7.11.3/redhat8/yum/
gpgkey=https://archive.cloudera.com/p/cm7/7.11.3/redhat8/yum/
RPM-GPG-KEY-cloudera
username=changeme
password=changeme
gpgcheck=1
enabled=1
autorefresh=0
type=rpm-md
```
3. If your hosts do not have access to https://archive.cloudera.com, you must set up a local repository. See Configuring Local Package and Parcel Repositories.
Manually install OpenJDK 11 / Oracle JDK 11 / OpenJDK 17 (From Cloudera Runtime 7.1.9 SP1 release onwards) on all hosts.
- Installing OpenJDK for Cloudera Runtime
- Installing Oracle JDK for Cloudera Runtime
Download and Install CryptoComply for Java (CC for Java) SafeLogic - Java JCE Provider on all hosts:
1. Obtain the SafeLogic CC Java module JAR file.
2. Create the directory, sudo mkdir /opt/cloudera/fips/.
3. Copy the ccj-3.0.2.1.jar file to /opt/cloudera/fips/.
4. Obtain the SafeLogic BCTLS Java module JAR file.
5. Copy the bctls-safelogic.jar file to /opt/cloudera/fips/ .
6. Change the file permissions on both the ccj-3.0.2.1.jar and bctls-safelogic.jar files to root and 0644:
```
chown root: /opt/cloudera/fips/ccj-3.0.2.1.jar
chmod 0644 /opt/cloudera/fips/ccj-3.0.2.1.jar
chown root: /opt/cloudera/fips/bctls-safelogic.jar
chmod 0644 /opt/cloudera/fips/bctls-safelogic.jar
```
  note
  The path must be the same for both ccj-3.0.2.1.jar and bctls-safelogic.jar.

Configure the Java environment variable.

Create ccj.sh in /etc/profile.d/:

echo "export 
JDK_JAVA_OPTIONS='--module-path=/opt/cloudera/fips/ccj-3.0.2.1.jar:/opt/cloudera/fips/bctls.jar   
--add-exports java.base/sun.security.provider=com.safelogic.cryptocomply.fips.core   
--add-modules com.safelogic.cryptocomply.fips.core,bctls'" >/etc/profile.d/ccj.sh
sudo chmod +x /etc/profile.d/ccj.sh

Configure java.policy, by adding the CCJ configuration to the bottom of the $JAVA_HOME/conf/security/java.policy file within the closed bracket as shown below:

//CCJ Java Permissions
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.util.PropertyPermission "java.runtime.name", "read";
permission java.security.SecurityPermission "putProviderProperty.CCJ";
//CCJ Key Export and Translation
permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "exportKeys";
//CCJ SSL
permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";
//CCJ Setting of Default SecureRandom
permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "defaultRandomConfig";
//CCJ Setting CryptoServicesRegistrar Properties
permission com.safelogic.cryptocomply.crypto.CryptoServicesPermission "globalConfig";
//CCJ Enable JKS
permission com.safelogic.cryptocomply.jca.enable_jks "true";
};

Locate the java.security file at $JAVA_HOME/jre/lib/security/java.security:

Add the following lines:

#
# List of providers and their preference orders (see above):
#
security.provider.1=com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:CCJ
security.provider.3=SUN
security.provider.4=SunRsaSign
security.provider.5=SunEC
security.provider.6=SunJSSE
security.provider.7=SunJCE
security.provider.8=SunJGSS
security.provider.9=SunSASL
security.provider.10=XMLDSig
security.provider.11=SunPCSC
security.provider.12=JdkLDAP
security.provider.13=JdkSASL

Comment out the default fips.providers and add the following lines:

#
# Security providers used when FIPS mode support is active
#
#fips.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.fips.cfg
#fips.provider.2=sun.security.provider.Sun
#fips.provider.3=sun.security.ec.SunEC
#fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS
fips.provider.1=com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider
fips.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:CCJ
fips.provider.3=SUN
fips.provider.4=SunRsaSign
fips.provider.5=SunEC
fips.provider.6=SunJSSE
fips.provider.7=SunJCE
fips.provider.8=SunJGSS
fips.provider.9=SunSASL
fips.provider.10=XMLDSig
fips.provider.11=SunPCSC
fips.provider.12=JdkLDAP
fips.provider.13=JdkSASL

Comment out the ssl.KeyManagerFactory.algorithm=SunX509 line and add a new line with the text ssl.KeyManagerFactory.algorithm=X.509:

# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
#
#ssl.KeyManagerFactory.algorithm=SunX509
ssl.KeyManagerFactory.algorithm=X.509
ssl.TrustManagerFactory.algorithm=PKIX

Install Cloudera Manager Server