About Release 7.0
This site contains documentation for HPE Ezmeral Data Fabric release 7.0, including installation, configuration, administration, and reference content, as well as content for the associated ecosystem components and drivers.
7.0 Installation
This section contains information about installing and upgrading HPE Ezmeral Data Fabric software. It also contains information about how to migrate data and applications from an Apache Hadoop cluster to a HPE Ezmeral Data Fabric cluster.
7.0 Data Fabric
HPE Ezmeral Data Fabric is the industry-leading data platform for AI and analytics that solves enterprise business needs.
- HPE Ezmeral Data Fabric File Store
  HPE Ezmeral Data Fabric File Store is a distributed file system for data storage, data management, and data protection. File Store supports mounting and cluster access via NFS and FUSE-based POSIX clients (basic, platinum, or PACC) and also supports access and management via HDFS APIs.
- HPE Ezmeral Data Fabric Object Store
  The HPE Ezmeral Data Fabric Object Store is a native object storage solution that efficiently stores objects and metadata for optimized access.
- HPE Ezmeral Data Fabric Database
  HPE Ezmeral Data Fabric Database is an enterprise-grade, high-performance, NoSQL database management system that you can use for real-time, operational analytics.
- HPE Ezmeral Data Fabric Streams
  HPE Ezmeral Data Fabric Streams brings integrated publish and subscribe messaging to the Data Fabric Converged Data Platform.
- HPE Ezmeral Unified Analytics
  Describes the HPE Ezmeral Unified Analytics Software and provides a link to more information.
- Kubernetes Interfaces for Data Fabric
  This section describes the Kubernetes Interfaces for Data Fabric, which include the Container Storage Interface (CSI) driver for multiple container-orchestration systems, and the FlexVolume driver for Kubernetes.
- Cluster Management
  Provides a synopsis of the various cluster components and their management.
- Performance
  Describes how to tune system performance, manage RDMA, and optimize CLDB tables.
- Security
  Provides an overview of the data-fabric security features.
  - Authentication in Data Fabric
    Describes types of authentication available with the HPE Ezmeral Data Fabric and how to manage user authentication with the maprlogin utility.
  - Authorization in Data Fabric
    Describes the basics of authorization including Access Control Lists and Access Control Expressions.
  - Encryption in Data Fabric
    Describes encryption types available on the HPE Ezmeral Data Fabric.
    - SSL Certificates
      Describes how certificates are used to perform authentication and encryption for websites that use the HTTPS protocol.
    - Security Protocols Used by Data Fabric
      Lists the various security protocols that data-fabric uses for encryption and authentication.
    - HTTPS Excluded Ciphers
      Lists the weak ciphers that are excluded from the data-fabric HTTPS implementation.
    - TLS 1.2 Supported Ciphers
      Lists the ciphers that are supported (and not supported) by HPE Ezmeral Data Fabric for use with TLS 1.2.
  - Prevent Storage of Specified Types of Files
    Provides an overview of how to prevent certain types of files from being stored on certain volumes.
  - Impersonation in Data Fabric
    Describes impersonation in data-fabric, which allows centralized control of access to resources in the file system, HPE Ezmeral Data Fabric Database, and HPE Ezmeral Data Fabric Streams.
  - Auditing in Data Fabric
    Data Fabric allows you to log audit records of cluster-administration operations, and operations on directories, files, streams and tables.
  - Policy-Based Security
    Starting in core version 6.2.0 (EEP 7.0.0), HPE Ezmeral Data Fabric supports Policy-Based Security, a feature that administrators can use to classify security controls into a manageable number of security policies.
  - FIPS Compliance
    Describes how the HPE Ezmeral Data Fabric complies with Federal Information Processing Standard (FIPS) 140-2 Level 1.
  - Dynamic Data Masking
    Describes the Dynamic Data Masking feature that allows you to mask sensitive information when retrieving data.
  - External KMIP Keystore Overview
    Describes the External KMIP Keystore functionality.
  - Security for Ecosystem Components
    Whether you install data-fabric software by using the Installer or by using manual steps, the platform and its ecosystem components are installed with security ON by default.
  - Security Settings for Ecosystem Components
    Lists the security settings for all HPE Ezmeral Data Fabric ecosystem components.
  - Security Exceptions
    "Secure by default" means network-safe authentication and encryption. This page describes areas in which secure-by-default capabilities are not yet implemented for the data-fabric platform or ecosystem components. Included where applicable, are links to more information to help you work around those issues.
- YARN
- Client Connections
  The following sections describe how a client connects to local and remote data-fabric clusters.
7.0 Administration
This section describes how to manage the nodes and services that make up a cluster.
7.0 Development
This section contains information related to application development for Ezmeral ecosystem components and HPE Ezmeral Data Fabric products, including the file system, Database (Key-Value and JSON), and Event Streams.
Other Docs
This section contains release-independent information, including: Installer documentation, Ecosystem release notes, interoperability matrices, security vulnerabilities, and links to other data-fabric version documentation.
Glossary
Definitions for commonly used terms in MapR Converged Data Platform environments.

HTTPS Excluded Ciphers

Lists the weak ciphers that are excluded from the data-fabric HTTPS implementation.

By default, the following weak TLS/SSL ciphers are excluded from the data-fabric HTTPS implementation:

SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA

Cipher Exclusion for Core Components

To exclude weak ciphers from the CLDB and Control System, typically you must add the ciphers to the java.security file in the installed java home path. However, the best practice for your JDK might be different. For information about enabling and disabling ciphers, consult your JDK documentation. In the following example, the ECDHE-RSA-AES256-GCM-SHA384 cipher has been added to java.security:

updated: java.security
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, TLS_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, DES, MD5withRSA, 
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, 
include jdk.disabled.namedCurves

Because the cipher is excluded, using the openssl client to connect to the CLDB using this cipher results in a handshake failure:

openssl s_client -connect 10.163.164.136:7443 -tls1_2 -cipher ECDHE-RSA-AES256-GCM-SHA384
CONNECTED(00000005)
139705826673088:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1528:SSL alert number 40
no peer certificate available
No client certificate CA names sent
SSL handshake has read 7 bytes and written 165 bytes
Verification: OK
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1662472760
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: n