Configuring a FIPS Client for a Secure Non-FIPS Server

Describes client configuration when the client is FIPS and the server is secure non-FIPS.

The steps to connect a FIPS-enabled client to a secure non-FIPS-enabled server are similar to the steps to connect a FIPS-enabled client to a secure non-FIPS-enabled server.

Configuring Connectivity for the First Cluster

Use these steps to configure connectivity for a FIPS-enabled client to a secure non-FIPS-enabled server:
  1. On the secure non-FIPS-enabled server, run the manageSSLKeys.sh convert utility to convert the trust store from JKS to BCFKS format. For example:
    /opt/mapr/server/manageSSLKeys.sh convert \ 
    -srcType JKS -dstType bcfks \ 
    -p 1IB_wtxT5Lbj6OU8xFpWpQiZ0SjE6BrA \ 
    /opt/mapr/conf/ssl_truststore /tmp/ssl_truststore.bcfks
  2. Copy the converted ssl_truststore.bcfks trust store from the secure non-FIPS server to the /opt/mapr/conf/ssl_truststore.bcfks of the FIPS client.
  3. Run configure.sh with the -c option on the FIPS enabled client, using the -storepasswds option to specify the trust store password but without the key store password. Since the converted BCFKS trust store is set to the same password as the source, the password must be the same as the one you specified using the -p option in Step 2. For example:
    /opt/mapr/server/configure.sh -secure -N hpe186.cluster.com -C m2-mapreng-vm167186:7222 -Z m2-mapreng-vm167186:5181 -c -storepasswds :1IB_wtxT5Lbj6OU8xFpWpQiZ0SjE6BrA
After a successful run of configure.sh, the following files are created or updated:
  • The BCFKS trust store credential file ${MAPR_HOME}/conf/maprtrustcreds.bcfks:
    [root@m2-mapreng-vm166251 ~]# hadoop credential list 
Listing aliases for CredentialProvider: 
localbcfks://file/opt/mapr/conf/maprtrustcreds.bcfks 
ssl.client.truststore.password
  • Symbolic links ${MAPR_HOME}/conf/ssl-client.xml and ${MAPR_HOME}/conf/ssl-server.xml are created to ${HADOOP_HOME}/etc/hadoop/ssl-client.xml and ${HADOOP_HOME}/etc/hadoop/ssl-server.xml respectively. The ssl-server.xml is not used for clients and is not modified by the configure.sh script.
  • The Hadoop Credential Provider credential store ${MAPR_HOME}/conf/maprtrustcreds.bcfks is created to store the trust store password specified in the -storepasswds option. The password for the trust store is set to the default of mapr123. To change the password, use the manageSSLKeys.sh script with the createrandompassword option to create a random password, or the copywithconfiguredpassword option to set a new user-selectable password.

Configuring Connectivity for Subsequent Clusters

The procedure of connecting a FIPS client to a secure non-FIPS server is similar to that of connecting a non-FIPS client to a FIPS server. Use the following steps:
  1. Copy the trust store from the non-FIPS server to the current node. For example:
    # scp root@hpe186:/opt/mapr/conf/ssl_truststore /tmp/.
  2. Run the keytool command to import the contents of the BCFKS trust store into the JKS trust store. You need the passwords for the BCFKS trust store on the remote node, as well as the JKS trust store on the local node that you are importing to. For example:
    # keytool -importkeystore \
-srckeystore /tmp/ssl_truststore \
-srcstorepass j01Z8SdPV_r3N8bOnV1hzRwzCC_w8x4C \
-srcstoretype jks \
-destkeystore ssl_truststore.bcfks \
-deststoretype bcfks \
-deststorepass SPCs12NrH10F1tqD8p3C1_6r1vHB9AIx \
-provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
-providerpath /opt/mapr/lib/bc-fips-1.0.2.1.jar \
-providername BCFIPS
Importing keystore ssl_truststore to ssl_truststore.bcfks...
Entry for alias hpe186.cluster.com successfully imported.
Entry for alias hpe186.cluster.com-root-signing-ca successfully imported.
Entry for alias hpe186.cluster.com-root-ca-chain successfully imported.
    You can verify the contents of your merged trust store by using the keytool command:
    # keytool -list -keystore ssl_truststore.bcfks \
-provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
-providerpath /opt/mapr/lib/bc-fips-1.0.2.1.jar \
-providername BCFIPS \
-storetype bcfks \
-storepass SPCs12NrH10F1tqD8p3C1_6r1vHB9AIx
Keystore type: BCFKS
Keystore provider: BCFIPS

Your keystore contains 6 entries

fips0.cluster.com, Nov 8, 2021, trustedCertEntry, 
Certificate fingerprint (SHA-256): 83:99:C1:58:2D:57:5D:D1:3C:57:10:D1:5B:FA:D6:A9:CB:30:D5:33:49:A5:31:37:64:F6:01:47:2A:BA:C1:F0
fips0.cluster.com-root-ca-chain, Nov 8, 2021, trustedCertEntry, 
Certificate fingerprint (SHA-256): EF:E8:90:61:20:BB:7B:F0:9D:D0:B0:B4:3C:7D:3E:D9:35:C0:27:09:39:BC:69:26:32:89:ED:1D:FD:38:B5:37
fips0.cluster.com-root-signing-ca, Nov 8, 2021, trustedCertEntry, 
Certificate fingerprint (SHA-256): 5B:E4:AC:0C:99:38:72:8E:82:4C:EC:7A:73:57:6E:42:FC:67:17:A0:F6:EE:89:D2:E9:ED:EE:C3:54:89:5D:64
hpe186.cluster.com, Nov 10, 2021, trustedCertEntry, 
Certificate fingerprint (SHA-256): 46:84:CB:7A:24:6A:93:24:98:A2:A0:B1:CD:A0:D4:AB:E2:00:8D:32:53:0E:6F:0A:38:D9:2D:ED:AC:94:01:0D
hpe186.cluster.com-root-ca-chain, Nov 10, 2021, trustedCertEntry, 
Certificate fingerprint (SHA-256): EA:D3:E4:AF:8F:E4:96:58:7D:31:AD:E1:3D:86:7C:69:2A:85:62:BE:61:F4:4B:09:29:FB:68:D1:A5:41:3F:A2
hpe186.cluster.com-root-signing-ca, Nov 10, 2021, trustedCertEntry, 
Certificate fingerprint (SHA-256): F0:D2:F3:F4:1B:F1:F0:07:74:A0:B9:B9:0D:52:E9:71:F3:55:EE:DC:01:84:F4:73:9E:3B:67:B0:FB:92:1E:84
  3. Run the configure.sh command with the -c option, and specify the cluster you want to connect to in the -N option, with the CLDBs in the -C section. For example:
    # /opt/mapr/server/configure.sh -secure -N hpe186.cluster.com -c -C s1:7222