Configuring a Secure Non-FIPS-Enabled Client for a FIPS-Enabled Server
Describes client configuration when the client is non-FIPS and the server is FIPS.
Non-FIPS enabled nodes do not support the BCFKS trust store format. Therefore, copying the BCFKS trust store from server to client does not work. You need to create the JKS trust store on the non-FIPS client by importing the same certificates that are in the BCFKS trust store on the FIPS-enabled server host. Different configuration procedures apply depending on whether you are configuring for the first cluster or for subsequent clusters.
Configuring the First Cluster
Use the following steps to configure a secure non-FIPS-enabled client to a FIPS-enabled
server for the first cluster:
- Copy the
${MAPR_HOME}/conf/ssl_truststore.bcfksfrom the FIPS-enabled server to a temporary directory of the secure non-FIPS enabled client. - Run the
manageSSLKeys.sh convertutility to convert the trust store from BCFKS format to JKS format. The destination trust store will be set to the same password as the source trust store. For example:/opt/mapr/server/manageSSLKeys.sh convert \ -srcType bcfks -dstType JKS \ -p 1IB_wtxT5Lbj6OU8xFpWpQiZ0SjE6BrA \ /tmp/ssl_truststore.bcfks /opt/mapr/conf/ssl_truststore - On the secure non-FIPS enabled client, run the
configure.shscript with the-coption, using the-storepasswdsoption to specify the trust store password, but without the key store password. Since the converted trust store is set to the same password as the source, the password must be the same as the one you specified using the-poption in Step 2. For example:/opt/mapr/server/configure.sh -secure -N hpe186.cluster.com -C m2-mapreng-vm167186:7222 -Z m2-mapreng-vm167186:5181 -c -storepasswds :1IB_wtxT5Lbj6OU8xFpWpQiZ0SjE6BrA
Configuring for Subsequent Clusters
If your secure non-FIPS enabled client is connecting to the second or subsequent clusters
where the nodes are FIPS-enabled, you cannot use the procedure described for the FIPS client
to FIPS server to merge the trust store contents from these clusters to your existing trust
store, since the trust store type is different. You need to use the
keytool
utility to merge the trust stores. Use the following steps:- Copy the trust store from the FIPS server to the current node. For
example:
# scp root@fips0:/opt/mapr/conf/ssl_truststore.bcfks /tmp/. - Run the
keytoolcommand to import the contents of the BCFKS trust store into the JKS trust store. You need the passwords for the BCFKS trust store on the remote node as well as the JKS trust store on the local node that you are importing to. For example:# keytool -importkeystore -srckeystore ssl_truststore.bcfks \ -srcstorepass SPCs12NrH10F1tqD8p3C1_6r1vHB9AIx \ -srcstoretype bcfks \ -destkeystore /tmp/ssl_truststore \ -deststorepass j01Z8SdPV_r3N8bOnV1hzRwzCC_w8x4C \ -deststoretype jks \ -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \ -providerpath /opt/mapr/lib/bc-fips-1.0.2.1.jar \ -srcprovidername BCFIPS Importing keystore ssl_truststore.bcfks to ssl_truststore... Entry for alias fips0.cluster.com-root-signing-ca successfully imported. Entry for alias fips0.cluster.com-root-ca-chain successfully imported. Entry for alias fips0.cluster.com successfully imported. Import command completed: 3 entries successfully imported, 0 entries failed or cancelled - 3. Run the
configure.shcommand. For example:# /opt/mapr/server/configure.sh -secure -N hpe186.cluster.com -c -C m2-mapreng-vm166186:7222