Take the following steps to modify an external JRE for a FIPS environment.
Note: FIPS is not supported for the On-Premises Connector with either embedded or external JREs.
Note:
<hdp_install_dir> is the installation directory of the Hybrid Data Pipeline server.
<external_jre_home> is the home directory of the external JRE.
1. Enable the Unlimited Strength Jurisdiction Policy according to the JRE vendor documentation. Depending on the vendor and version, the Unlimited Strength Jurisdiction Policy may be enabled by default.
2. Copy the <hdp_install_dir>/ddcloud/utils/jre/lib/ext/bc-fips-1.0.0.jar file to the <external_jre_home>/lib/ext directory.
3. Merge the contents of the embedded JRE <hdp_install_dir>/ddcloud/utils/jre/lib/security/java.policy.bcfips file into the external JRE <external_jre_home>/lib/security/java.policy file.
Note:
Any previously made customizations to the <external_jre_home>/lib/security/java.policy should be preserved.
Any permissions for data sources in the embedded JRE java.policy.bcfips file should be carried over to the external JRE java.policy file.
4. Merge the contents of the embedded JRE <hdp_install_dir>/ddcloud/utils/jre/lib/security/java.security.bcfips file into the external JRE <external_jre_home>/lib/security/java.security file.
Note:
Any previously made customizations to the <external_jre_home>/lib/security/java.security should be preserved.
Any properties enabled in the embedded JRE java.security.bcfips file should be carried over to the external JRE java.security file.