FIPS mode should only be enabled if the hardware on the server machine supports secure random. If FIPS support is enabled on a server machine that does not support secure random, the Hybrid Data Pipeline server may hang as it waits for the system to generate sufficiently random numbers for security-related tasks like encrypting or decrypting database information. To check if your hardware supports secure random on Intel hardware, you can examine the CPU flags to see if the rdrand instruction is supported.

-sh-4.2$ cat /proc/cpuinfo | grep rdrand
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36
        clflush dts mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc
        arch_perfmon pebs bts nopl xtopology tsc_reliable nonstop_tsc aperfmperf pni
        pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt aes xsave 
        avx f16c rdrand hypervisor lahf_lm ida arat epb pln pts dtherm fsgsbase 
        smep

Another method of determining if the CPU supports secure random number generation is to obtain information about which CPU is being used with cat /proc/cpuinfo, and then visiting the listed CPU manufacturer's website to obtain information about the specific CPU.

Hybrid Data Pipeline can be installed on hardware that does not support secure random but if this is done, there should be a secure random daemon installed to avoid the Hybrid Data Pipeline installer and server from being blocked waiting for secure random seed values.

Important:
  • In addition to confirming that server hardware supports secure random, you should also ensure enough entropy is available on any VM where Hybrid Data Pipeline is installed. Having enough entropy ensures reliability, especially when using FIPS.
  • If you plan to run Hybrid Data Pipeline in FIPS mode and use a Java plugin to support external authentication services, the Java plugin must be FIPS compliant. In addition, the external authentication Java plugin should be tested with FIPS mode enabled before moving to a production environment.

If your hardware does not support secure random but you wish to test the FIPS compliant components of Hybrid Data Pipeline, you can do so by modifying the java.security.bcfips file provided in your installation. The resulting Hybrid Data Pipeline instance will generate the correct components but they will not be FIPS compliant.

  1. In the install_dir/jre/lib/security/java.security.bcfips file, change the line securerandom.source=file:/dev/random to securerandom.source=file:/dev/urandom.
  2. Enable FIPS mode as described in Enabling and disabling FIPS.