Cloudera Docs

Step 3: Validate the CCJ and CCS installations

Run the following commands on each host to validate the CryptoComply for Java (CCJ) and CryptoComply for Server (CCS) installation.

  1. Run the following command: 
    sysctl crypto.fips_enabled

    Expected output:

    crypto.fips_enabled = 1
  2. Run the following command: 
    echo greeting | openssl md5

    This command must fail, indicating that FIPS is enabled.

  3. Run the following command:

    Run the following command on the Cloudera Manager Server to verify the list of security providers in JDK 11, which grabs the chosen path for the ccj jar file (assume that the bctls file is in the same directory) and show providers with those modules added:

    cat > ListSecurityProviders.java <<-EOF
import java.security.Provider;
import java.security.Security;

public class ListSecurityProviders {
 public static void main(String[] args) {
 Provider[] providers = Security.getProviders();
 for (Provider provider : providers) {
 System.out.println("Provider: " + provider.getName());
 System.out.println("Version: " + provider.getVersionStr());
 System.out.println("Info: " + provider.getInfo());
 System.out.println();
 }
 }
}
EOF

    java -p /directory/chosen/for/ccj-bctls/jars/ ListSecurityProviders.java

    The output includes the following providers if they are configured and referenced properly. For example,

    Provider: CCJ
Version: <version>
Info: CryptoComply® for Java version <version>

Provider: BCJSSE
Version: <version>
Info: Bouncy Castle JSSE Provider Version <version>
  4. Run the following command: 
    read -r -d '' do_maxAESKeyLength <<EOF
java.lang.System.out.println(javax.crypto.Cipher.getMaxAllowedKeyLength("AES/CBC/PKCS5Padding"));
EOF
answer=`${JAVA_HOME}/bin/jrunscript -Dcom.safelogic.cryptocomply.fips.approved_only=true -e "$do_maxAESKeyLength"`
echo $answer
    Expected output:
    2147483647
Install and configure databases