Federal Information Processing Standards (FIPS) are the standards by which many federal and private sector organizations secure their computer systems. Support for FIPS-compliant algorithms in Collibra Data Quality & Observability can be configured upon installation through the environment variables in the below table.
The OS environment variable export DQ_APP_FIPS_ENABLED=true is set in the setup.sh, owlmanage.sh, and owl-env.sh files, while all other optional environment variables are set in the owl-env.sh.
| Environment variable | Description |
|---|---|
export DQ_APP_FIPS_ENABLED=true
|
Required. Enables or disables FIPS-compliant algorithms. This must be enabled in the setup.sh and owlmanage.sh file upon the installation of Collibra Data Quality & Observability. Default is false. |
export DQ_APP_AES_ENCRYPTION_KEY=<key-string>
|
Only required when using your own Java security provider, algorithm, and encryption key. Enter the key for AES encryption from your preferred provider. Defaults to the Collibra DQ AES key. |
export DQ_FIPS_PROVIDER_NAME=<java-provider-class>
|
Only required when using your own Java security provider, algorithm, and encryption key. Provide your own provider implementation. Defaults to Bouncy Castle, which is supported in Collibra DQ and considered one of the secure and compliant FIPS providers. |
export DQ_FIPS_ALGORITHM=<algorithm>
|
Only required when using your own Java security provider, algorithm, and encryption key. Provide an algorithm supported by your FIPS provider. Defaults to password-based AES 128 encryption algorithm complaint with FIPS. |
Steps
- Before installing Collibra Data Quality & Observability, set the OS environment variable
export DQ_APP_FIPS_ENABLED=truein the setup.sh and owlmanage.sh files. - Follow the standard Standalone Installation steps.
- After installing Collibra Data Quality & Observability with FIPS enabled, set the environment variable
export DQ_APP_FIPS_ENABLED=truein the owl-env.sh file. - If you do not use the default Bouncy Castle FIPS provider and Collibra DQ values, set the additional FIPS environment variables in the owl-env.sh.
- Restart the DQ web application and DQ agent services.
| Environment variable | Description |
|---|---|
export DQ_APP_AES_ENCRYPTION_KEY=<key-string>
|
Enter the key for AES encryption from your preferred provider. Defaults to the Collibra DQ AES key. |
export DQ_FIPS_PROVIDER_NAME=<java-provider-class>
|
Provide your own provider implementation. Defaults to Bouncy Castle, which is supported in Collibra DQ and considered one of the secure and compliant FIPS providers. |
export DQ_FIPS_ALGORITHM=<algorithm>
|
Provide an algorithm supported by your FIPS provider. Defaults to password-based AES 128 encryption algorithm complaint with FIPS. |
Example of environment variables when using the default Bouncy Castle FIPS provider and Collibra DQ values
export DQ_APP_FIPS_ENABLED=true
export DBPASSWORD="String to Encrypt"
# If successful, the following command will return encrypted string
java -cp dq-core.jar:bc-fips-1.0.2.5.jar com.owl.core.security.SecurityManager -encryptString $DBPASSWORDExample of environment variables when using your own Java security provider, algorithm, and encryption key
export DQ_APP_FIPS_ENABLED=true
# Optional environment variables (if left unspecified, this defaults to the Bouncy Castle provider and default Collibra DQ values)
export DQ_FIPS_PROVIDER_NAME=com.sun.crypto.provider.SunJCE
export DQ_FIPS_ALGORITHM=AES/CBC/PKCS5Padding
export DQ_APP_AES_ENCRYPTION_KEY=H21aq1ysAybSfEJlT+NujiSBHJcODF3ciRNWTK0U1pI=
export DBPASSWORD="String To Encrypt"
# If successful, the following command will return encrypted string
java -cp dq-core.jar com.owl.core.security.SecurityManager -encryptString $DBPASSWORD