Cloudera Docs

Step 3: Validate the CCJ and CCS installations

Run the following commands on each host to validate the CryptoComply for Java (CCJ) and CryptoComply for Server (CCS) installation.

  1. Run the following command: 
    sysctl crypto.fips_enabled

    Expected output:

    crypto.fips_enabled = 1
  2. Run the following command: 
    echo greeting | openssl md5

    This command must fail, indicating that FIPS is enabled.

  3. Run the following command to verify the list of security providers in JDK 8: 
    read -r -d '' list_providers <<EOF
p = java.security.Security.getProviders();
for (i = 0; i < p.length; i++) { java.lang.System.out.println(p[i]); }
EOF
${JAVA_HOME}/bin/jrunscript -e "$list_providers"

    This command returns the version numbers of the SafeLogic packages, for example:

    CCJ version 1.01
SUN version 1.8
SunRsaSign version 1.8
SunEC version 1.8
SunJSSE version 1.8
SunJCE version 1.8
SunJGSS version 1.8
SunSASL version 1.8
XMLDSig version 1.8
SunPCSC version 1.8
  4. Run the following command: 
    read -r -d '' do_maxAESKeyLength <<EOF
java.lang.System.out.println(javax.crypto.Cipher.getMaxAllowedKeyLength("AES/CBC/PKCS5Padding"));
EOF
answer=`${JAVA_HOME}/bin/jrunscript -Dcom.safelogic.cryptocomply.fips.approved_only=true -e "$do_maxAESKeyLength"`
echo $answer
    Expected output:
    2147483647
Install and configure databases