skip to main content
Administering Hybrid Data Pipeline : FIPS (Federal Information Processing Standard) : Before enabling FIPS
  

Try Now

Before enabling FIPS

FIPS support should only be enabled if the hardware on the server machine supports secure random. If FIPS support is enabled on a server machine that does not support secure random, the installer and the Hybrid Data Pipeline server may hang as they wait for the system to generate sufficiently random numbers for security-related tasks like encrypting or decrypting database information. To check if your hardware supports secure random on Intel hardware, you can examine the CPU flags to see if the rdrand instruction is supported.
-sh-4.2$ cat /proc/cpuinfo | grep rdrand
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36
clflush dts mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc
arch_perfmon pebs bts nopl xtopology tsc_reliable nonstop_tsc aperfmperf pni
pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt aes xsave
avx f16c rdrand hypervisor lahf_lm ida arat epb pln pts dtherm fsgsbase
smep
Hybrid Data Pipeline can be installed on hardware that does not support secure random but if this is done, there should be a secure random daemon installed to avoid the Hybrid Data Pipeline installer and server from being blocked waiting for secure random seed values. Another method of determining if the CPU supports secure random number generation is to obtain information about which CPU is being used with cat /proc/cpuinfo and then visiting the listed CPU manufacture's website to obtain information about the specific CPU.

If Your Hardware Does Not Support Secure Random

If your hardware does not support secure random, but you wish to test the FIPS compliant components of Hybrid Data Pipeline you can do so by modifying the configuration files provided. The resulting Hybrid Data Pipeline instance will generate the correct components but they will not be FIPS compliant. Make the modification as follows:
1. In the install_dir/jre/lib/security/java.security.bcfips file change the line securerandom.source=file:/dev/random to securerandom.source=file:/dev/urandom.
2. Enable FIPS mode as normal. After installation scripts are provided for enabling and disabling the FIPS complaint security provider. These scripts will automatically restart the local Hybrid Data Pipeline server instance. In a clustered environment you will need to run this script on a single node, and then restart the other nodes which will pick up the changes at startup. The scripts are found in install_dir/ddcloud and are as follows:
*enable_fips.sh: Enables Bouncy Castle as the FIPS compliant security provider
*disable_fips.sh: Enables Sun as the security provider. This is not FIPS compliant
Note: To add certificates to the keystore and truststore for a FIPS compliant installation, you need to run the installer and perform an upgrade to specify a new PEM with all the needed certificates and chains.