Installing the FIPS client drivers

This topic details how to install the FIPS client drivers for JDBC and ODBC.

1: Installing the FIPS client driver for ODBC and vsql
2: Installing the FIPS client driver for JDBC

This topic details how to install the FIPS client drivers for JDBC and ODBC.

1 - Installing the FIPS client driver for ODBC and vsql

Vertica offers a FIPS client for FIPS-compatible systems.

Vertica offers a FIPS client for FIPS-compatible systems. A FIPS-compatible system is FIPS-enabled and includes the OpenSSL libraries.

The FIPS client supports ODBC and vsql and is offered in 64-bit only.

Prerequisites

Verify that your host system is running a FIPS-compliant operating system that Vertica supports.

The FIPS client installer checks your host system for the value of the sysctl parameter, crypto.fips_enabled. You must set this parameter to 1 (enabled). If your host is not enabled, the client does not install.

For other prerequisites, related specifically to ODBC, see ODBC prerequisites.

Installing the FIPS client

To install the FIPS client driver package:

Download the FIPS client package from the Vertica driver downloads page.
Log in to the client system as root.
Install the RPM package that you downloaded:
```
# rpm -Uvh package_name.rpm
```

For ODBC, once you have installed the client package, you need to create a DSN and set some additional configuration parameters. For more information, see:

You may also want to add the vsql client to your PATH environment variable so that you do not need to enter its full path to run it. To do so, add the following to the .profile file in your home directory or the global /etc/profile file:

export PATH=$PATH:/opt/vertica/bin

Client searches for OpenSSL libraries

When you launch the client application to connect to the server, the client searches for and loads the OpenSSL libraries libcrypto.so.10 and libssl.so.10 for supported OpenSSL versions:

The client first checks to see if LD_LIBRARY_PATH is set.
If the LD_LIBARY_PATH location does not include the libraries, it checks RunPath, either /opt/vertica/lib or within the ODBC or vsql directory structure (../lib).

Important

The LD_LIBRARY_PATH, if set, directs the search path for the OpenSSL libraries. Be aware that the client loads the libraries from any set or preset LD_LIBRARY_PATH location.

The following figure depicts the search for the OpenSSL libraries:

2 - Installing the FIPS client driver for JDBC

Vertica offers a JDBC client driver that is compliant with the Federal Information Processing Standard (FIPS).

Vertica offers a JDBC client driver that is compliant with the Federal Information Processing Standard (FIPS). Use this JDBC client driver to access systems that are FIPS-compatible. For more information on FIPS in Vertica, see Federal information processing standard.

Implementing FIPS on a JDBC client requires a third-party JRE extension called BouncyCastle, a collection of APIs used for cryptography. Use BouncyCastle APIs with JDK 1.7 and 1.8, and a FIPS-compliant operating system that Vertica supports.

Important

When using the JDBC FIPS-compliant client, expect some time lag for the client to connect efficiently and securely. If necessary, increase your system's entropy to ensure a fast and secure connection.

You need to add the FIPS BouncyCastle jar as the JVM JSSE provider, as follows:

Download the BouncyCastle FIPS jar file bc-fips-1.0.0.jar from the BouncyCastle download page.
Add bc-fips-1.0.0.jar as a JRE library extension:
```
<path to jre>/lib/ext/bc-fips-1.0.0.jar
```

Add BouncyCastle as an SSL security provider in <path to jre>/lib/security/java.security:

security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastle FipsProvider
security.provider.2=com.sun.net.ssl.internal.ssl.Provider BCFIPS
security.provider.3=sun.security.provider.Sun

Use the following JVM java -D system property command arguments to set the KeyStore and TrustStore files to BCFIPS:
```
export JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStoreProvider=BCFIPS export JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStoreProvider=BCFIPS
```
For information on setting the SSL Keystore and Truststore, see Configuring TLS for JDBC clients.
Set the default type for the KeyStore implementation to BCFKS in <path to jre>/lib/security/java.security:
```
keystore type=BCFKS
ssl.keystore.type=BCFKS
```

Note

If you are using FIPS with BouncyCastle, you must create all client keys and certificates with the BCFKS store type, including the Vertica–>Kafka key/certs.

On the command line, run the following command from <path to jre>/lib/ext to create the keystore and truststore. Make sure you use the BCFKS type:

$ <java bin path> keytool -keystore vertica.kafka.keystore.bcfks
-storetype BCFKS
-providername BCFIPS
-providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
-provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider 
-providerpath bc-fips-1.0.0.jar -alias CARoot -import -file (server.crt.der file path)

Enter the keystore password when prompted. The following message appears:
```
"Certificate was added to the keystore"
```
Run the Java program with SSL DB:
1. Copy the vertica.kafka.keystore.bcfks keyStore from <path to jre>/lib/ext/ to the java program folder.
2. Convert the Vertica server certificate to a form that java understands:
```
<java bin path> keytool -keystore verticastore -keypasswd -storepass password -importkeystore -noprompt -alias verticasql -import -file server.crt.der
```
3. Download the latest vertica JDBC driver from the Vertica download page.

After creation of verticastore, keyStore, and download jar, execute the following command to run Java with debugging to test the implementation:

$ java -Djavax.net.debug=ssl -Djavax.net.ssl.keyStore='vertica.kafka.keystore.bcfks' -Djavax.net.ssl.keyStorePassword='password' -Djavax.net.ssl.trustStore='<path to verticastore>/verticastore' -Djavax.net.ssl.trustStorePassword='password' -cp .:vertica-jdbc-11.1.0-0.jar FIPSTest