About Release 7.0
This site contains documentation for HPE Ezmeral Data Fabric release 7.0, including installation, configuration, administration, and reference content, as well as content for the associated ecosystem components and drivers.
7.0 Installation
This section contains information about installing and upgrading HPE Ezmeral Data Fabric software. It also contains information about how to migrate data and applications from an Apache Hadoop cluster to a HPE Ezmeral Data Fabric cluster.
7.0 Data Fabric
HPE Ezmeral Data Fabric is the industry-leading data platform for AI and analytics that solves enterprise business needs.
7.0 Administration
This section describes how to manage the nodes and services that make up a cluster.
- Administering Users and Clusters
  Lists topics that help manage a data-fabric cluster.
- Administering Nodes
  Provides a synopsis of managing nodes in a cluster.
- Administering Volumes
  This section provide information about how to organize and manage data using volumes, a unique feature of HPE Ezmeral Data Fabric clusters.
- Administering Files and Directories
- Administering Tables
  Administration of the HPE Ezmeral Data Fabric Database is done primarily via the command line (maprcli) or with the Managed Control System (MCS). Regardless of whether the HPE Ezmeral Data Fabric Database table is used for binary files or JSON documents, the same types of commands are used with slightly different parameter options. HPE Ezmeral Data Fabric Database administration is associated with tables, columns and column families, and table regions.
- Administering Streams
- Administering Data Fabric Gateways
  A HPE Ezmeral Data Fabric gateway mediates one-way communication between a source HPE Ezmeral Data Fabric cluster and a destination cluster. You can replicate HPE Ezmeral Data Fabric Database tables (binary and JSON) and HPE Ezmeral Data Fabric Streams streams. HPE Ezmeral Data Fabric gateways also apply updates from JSON tables to their secondary indexes and propagate Change Data Capture (CDC) logs.
- Administering Services
- Monitoring the Cluster
  This section describes how to monitor the health and performance of a MapR cluster.
- Configuring Security
  Describes how to configure security and manage secure clusters.
  - Configuring Data-Fabric Security
    Provides usage information for frequently used security functionality, including Access Control Lists (ACLs), Access Control Expressions (ACEs), file permissions, and subnet allowlisting.
    - Getting Started with HPE Ezmeral Data Fabric Security
      Describes quick implementation of security.
    - Managing Encryption
      Provides information that allows you to use encryption across the HPE Ezmeral Data Fabric platform.
    - Determining if a Cluster is Secure and Enabled for Encryption
      Explains how to use the Control System, the CLI, and REST API to determine whether a cluster is secure and whether on-wire encryption and data-at-rest encryption are enabled at the cluster and volume levels.
    - Managing FIPS Security
      The topics in this section describe how to learn about and manage your FIPS configuration.
      - Determining if a Host Is in FIPS Mode
        Explains how to use the CLI, REST commands, or the Control System to determine if a host is in FIPS mode.
      - Using the Java keytool with Bouncy Castle Key and Trust Stores
        Use the Java keytool command to manipulate key and trust stores, which includes listing the aliases or contents, exporting certificates, and merging trust stores.
      - Key and Trust Store Password Protection
        This section describes how keystore and truststore passwords are protected.
        Password Protection with the Hadoop Credential Provider API
        This section describes the credential stores on FIPS-enabled and secure non-FIPS-enabled hosts.
        Password Protection for Non-Java Applications
        This section describes an alternative mechanism that non-Java applications can use to access the key and trust store passwords.
        Protection of CLDB and DARE Master Keys
        This section describes how the CLDB key and DARE master keys are encrypted and stored during normal operations.
        Removing Clear-Text Passwords After Upgrade
        Upon upgrade to release 7.0.0 or later, any clear-text passwords that existed in ssl-client.xml and ssl-server.xml in a pre-7.0.0 release are preserved by default. Remove these passwords by using a configure.sh command option.
      - Manipulating Key and Trust Stores
        This section describes how the key and trust stores can be used in the Java keytool utility and how they can be manipulated using the manageSSLKeys.sh command.
      - Application Development with Encrypted Key and Trust Stores
        This section describes application development requirements for users writing custom applications for encrypted key and trust stores in both FIPS and non-FIPS modes.
      - Troubleshooting Tips for FIPS Installations
        Answers frequently asked questions and provides troubleshooting tips for FIPS installations.
    - Configuring Authentication
      Provides information about Data Fabric tickets, Kerberos, Pluggable Authentication Module (PAM) authentication.
    - Managing Access Controls
      Describes how to create, enable, and use ACLs and ACEs.
    - Configuring Policy-Based Security
      Starting in HPE Ezmeral Data Fabric 6.2.0 (EEP 7.0.0), HPE Ezmeral Data Fabric supports Policy-Based Security. Policy-Based Security is a mechanism that enables administrators to create security policies for simplified data management. Administrative users can create and manage security policies through the control system, maprcli, REST API, Hadoop and Linux commands, and Java APIs.
    - Customizing Security in HPE Ezmeral Data Fabric
      Describes the .customSecure file and how HPE Ezmeral Data Fabric 6.x handles custom security settings.
  - Managing Impersonation
    Provides instructions for enabling and using Data Fabric impersonation features.
- Managing Secure Clusters
  Provides procedures that will enable you to use MapR clusters securely.
- Administering the Data Access Gateway
  The HPE Ezmeral Data Fabric Data Access Gateway is a service that acts as a proxy and gateway for translating requests between lightweight client applications and the HPE Ezmeral Data Fabric cluster. This section describes considerations when upgrading the service, how to modify configuration settings, and how to administer and manage the service.
- Planning for High Availability
- Administrator's Reference
  This section contains in-depth reference information for the administrator.
- Troubleshooting Cluster Administration
  Lists the common errors and their solutions.
- Best Practices for Backing Up HPE Ezmeral Data Fabric Information
  Lists the best practices and performance considerations to follow when backing up HPE Ezmeral Data Fabric information.
7.0 Development
This section contains information related to application development for Ezmeral ecosystem components and HPE Ezmeral Data Fabric products, including the file system, Database (Key-Value and JSON), and Event Streams.
Other Docs
This section contains release-independent information, including: Installer documentation, Ecosystem release notes, interoperability matrices, security vulnerabilities, and links to other data-fabric version documentation.
Glossary
Definitions for commonly used terms in MapR Converged Data Platform environments.

Protection of CLDB and DARE Master Keys

This section describes how the CLDB key and DARE master keys are encrypted and stored during normal operations.

In release 6.2, if used without HSM integration, the CLDB key is encrypted using a weak hard-coded key and stored in Base-64 format in ${MAPR_HOME}/conf/cldb.key. The DARE master key is stored in clear text in hexadecimal format in ${MAPR_HOME}/conf/dare.master.key. Both files are protected only by file permissions. The files need to be encrypted and protected using FIPS-approved algorithms.

Release 7.0.0 and later encrypt and store these keys using the PKCS#11 interface and the mrhsm tool. Using configure.sh with the -genkey option automatically generates the keys inside the HSM. In this case, the HSM could be the HSM that was introduced in release 6.2.0 or the HSM inside the newly introduced file store, which is ${MAPR_HOME}/conf/tokens. Upgrades also automatically upgrade mrhsm configurations to support the file store and store existing keys inside the PKCS #11 file store if the legacy cldb.key or dare.master.key are found.

Note these important considerations:

Instead of backing up the cldb.key and dare.master.key as recommended in previous versions, users are encouraged to back up the ${MAPR_HOME}/conf/tokens directory as well as the ${MAPR_HOME}/conf/maprhsm.conf file. These are both essential to retrieve the keys.
During configuration, instead of copying key files, users must copy the ${MAPR_HOME}/conf/tokens directory as well as the ${MAPR_HOME}/conf/maprhsm.conf file to other CLDB nodes in the cluster.
MFS-only nodes still need an empty ${MAPR_HOME}/conf/dare.master.key file to detect that DARE is enabled. This file does NOT need to contain the actual key.
During an upgrade, the cldb.key and dare.master.key are left intact and untouched even though we expect to have them stored in the PKCS#11 file store. It is a best practice to remove them from the node and store them in a safe location in case they are needed again.