Configuring Cross-Cluster Security for a Mixed (FIPS and Non-FIPS) Configuration

Describes how to configure cross-cluster security when the clusters include FIPS and non-FIPS-enabled nodes.

The configure-crosscluster.sh script does not support mixed configurations consisting of FIPS and non-FIPS-enabled nodes. However, you can use manual steps to enable cross-cluster security in this scenario.

The following is an example for configuring mixed clusters consisting of a combination of FIPS-enabled and secure non-FIPS-enabled nodes. Suppose you have a five-node local cluster, and three of the nodes are FIPS-enabled nodes:
  • AF1.example.com (CLDB)
  • AF2.example.com (CLDB)
  • AF3.example.com (CLDB)
Suppose the other two nodes are secure non-FIPS nodes:
  • AS4.example.com
  • AS5.example.com
In addition, suppose the remote cluster is a five-node cluster, and three of the nodes are FIPS-enabled nodes:
  • BF1.example.com (CLDB)
  • BF2.example.com (CLDB)
  • BF3.example.com (CLDB)
Suppose the other two nodes in the remote cluster are secure non-FIPS nodes:
  • BS4.example.com
  • BS5.example.com
You can use the following steps to configure cross-cluster security:
  1. Run the configure-crosscluster.sh script on the FIPS-enabled CLDB nodes:
    $ cat localhostsfile 
AF1.example.com 
AF2.example.com 
AF3.example.com 
$ cat remotehostsfile 
BF1.example.com 
BF2.example.com 
BF3.example.com 
$ /opt/mapr/server/configure-crosscluster.sh create all \ 
     -localtruststorepassword localtrustpass \ 
     -remotetruststorepassword remotetrustpass \ 
     -localhosts localhostfile \ 
     -remotehosts remotehostsfile
  2. Copy the /opt/mapr/conf/ssl_truststore.bcfks to a temporary location of the first non-FIPS node in the local cluster (AF4.example.com in the example). Then use the manageSSLKeys.sh convert utility to convert the updated local trust store from BCFKS to JKS format. After confirming that the conversion is successful, copy the trust store to /opt/mapr/conf. For example:
    $ /opt/mapr/server/manageSSLKeys.sh convert \ 
    -p localtrustpass -srcType bcfks -dstType JKS \ 
    /opt/mapr/conf/ssl_truststore.bcfks /tmp/ssl_truststore 
$ cp /tmp/ssl_truststore /opt/mapr/conf/.
  3. Copy the the mapr-clusters.conf and maprserverticket (for all or server mode) from the local FIPS node (AF1.example.com) to the secure non-FIPS node of the local cluster (AF4.example.com). For example, on AF1.example.com:
    $ cd /opt/mapr/conf 
$ scp mapr-clusters.conf \ 
      mapr@AS4.example.com:/opt/mapr/conf/mapr-clusters.conf 
$ scp maprserverticket \ 
      mapr@AS4.example.com:/opt/mapr/conf/maprserverticket
  4. Use pscp to copy the ssl_truststore, mapr-clusters.conf, and maprserverticket to all the other secure non-FIPS nodes in the cluster.
  5. Repeat steps 2 and 3 for the non-FIPS hosts in the remote cluster, starting with the first non-FIPS remote node (BF4.example.com):
    1. On BF4.example.com, use the manageSSLKeys.sh convert utility to convert the updated remote trust store from BCFKS to JKs format, and copy it to /opt/mapr/conf.
    2. Copy the mapr-cluster.conf and maprticket files from the remote FIPS node (BF1.example.com) to all the non-FIPS nodes in the remote cluster (BF4.example.com and BF5.example.com).