For Linux deployments, you may configure the Hybrid Data Pipeline server for FIPS in either of the following ways:

  • By enabling FIPS mode during installation
  • By running the enable_fips.sh script after installation
Note: For Docker deployments, you may use the hdpdeploy.properties file to configure the server for FIPS. See Deploying Hybrid Data Pipeline using Docker. Neither the enable_fips.sh or the disable_fips.sh scripts may be run with a Docker deployment.
Important:
  • Before enabling FIPS, you must ensure that your hardware supports secure random, or that you have a secure random daemon installed. See Before enabling FIPS for details.
  • We recommend a clean installation with FIPS enabled for production environments. With a new installation, users and data sources must be recreated. The script will not change the stored encryption keys which, if generated by a non-FIPS install, use the same encryption algorithm but with the less secure random number generation.
  • For Linux deployments, to add certificates to the keystore and truststore for a FIPS implementation, you need to run the installer to specify a new PEM with the required certificates and chains.

Enable FIPS during installation

Take the following steps to enable FIPS during installation.

  1. Run the installer.
  2. For installation type, choose Custom.
  3. When prompted, select the option to enable FIPS.

Complete the remaining installation steps. For further details, see Installing the Hybrid Data Pipeline server.

Enable FIPS after installation

Take the following steps to enable FIPS after the installation. The steps must be repeated for each node in a cluster.

  1. Go to the installation directory: /Progress/DataDirect/Hybrid_Data_Pipeline/Hybrid_Server/ddcloud
  2. Execute the enable_fips.sh script to enable FIPS. Note that running the script will force the Hybrid Data Pipeline server to restart. 
    /Progress/DataDirect/Hybrid_Data_Pipeline/Hybrid_Server/ddcloud ./enable_fips.sh
  3. After the script has completed, verify that FIPS is enabled. To verify, you can look at the standard output of the enable_fips.sh script. The final line output in a successful execution will be 'Finished setting security provider' and the script will exit with a return code of 0. If it fails, the appropriate error(s) will be displayed in the console, and the script will exit with a return code of 1.

Additionally, you may run ./enable_fips.sh force. By default, when FIPS mode is already enabled, the enable_fips.sh script does not attempt to generate the existing .bks Bouncy Castle keystore and truststore. With the force argument, the script forces both the .bks Bouncy Castle keystore and truststore to be regenerated from the default Sun .jks files.

Disable FIPS

Take the following steps to disable FIPS. The steps must be repeated for each node in a cluster.

  1. Go to the installation directory: /Progress/DataDirect/Hybrid_Data_Pipeline/Hybrid_Server/ddcloud
  2. Execute the disable_fips.sh script to disable FIPS. Note that running the script will force the Hybrid Data Pipeline server to restart.
    /Progress/DataDirect/Hybrid_Data_Pipeline/Hybrid_Server/ddcloud ./disable_fips.sh
  3. After the script has completed, verify that FIPS is disabled. To verify, you can look at the standard output of the disable_fips.sh script. The final line output in a successful execution will be 'Finished setting security provider' and the script will exit with a return code of 0. If it fails, the appropriate error(s) will be displayed in the console, and the script will exit with a return code of 1.