Cloudera Enterprise 6.0.x | Other versions

Installing Navigator HSM KMS Backed by Thales HSM

  Important: Following these instructions installs the required software to add the Navigator HSM KMS backed by Thales HSM to your cluster; this enables you to use a supported Thales HSM as the underlying keystore for HDFS Transparent Encryption.
HSM KMS backed by Thales HSM is a custom Key Management Server (KMS) that uses a supported Thales HSM as the underlying keystore, instead of the file-based Java KeyStore (JKS) used by the default Hadoop KMS.
  Important: HSM KMS backed by Thales HSM is supported only in Cloudera Manager deployments. You can install the software using parcels or packages, but running HSM KMS backed by Thales HSM outside of Cloudera Manager is not supported.

Client Prerequisites

Navigator HSM KMS backed by Thales HSM is supported on Thales HSMs only. The Thales HSM client must be installed first.

The following Thales nSolo, nConnect software and firmware are required:
  • Server version: 3.67.11cam4
  • Firmware: 2.65.2
  • Security World Version: 12.30
Before performing the Thales HSM setup, run the nfkminfo command to verify that Thales HSM is configured correctly. 
$ sudo /opt/nfast/bin/nfkminfo
          World generation 2
          state      0x1727 Initialised Usable Recovery !PINRecovery !ExistingClient
                     RTC NVRAM FTO !AlwaysUseStrongPrimes SEEDebug

If state reports !Usable instead of Usable, then configure the Thales HSM before continuing. See the Thales product documentation for details about how to configure the Thales client.

Run the following command to manually add the KMS user to the nfast group:

usermod -a -G nfast kms

If you do not manually add the KMS user, installation can fail.

Setting Up an Internal Repository

You must create an internal repository to install Navigator HSM KMS backed by Thales HSM. For instructions on creating internal repositories (including Cloudera Manager, CDH, and Cloudera Navigator encryption components), see Using an Internal Parcel Repository if you are using parcels, or Using an Internal Package Repository if you are using packages.

Installing Navigator HSM KMS Backed by Thales HSM Using Parcels

  1. Go to Hosts > Parcels.
  2. Click Configuration and add your internal repository to the Remote Parcel Repository URLs section. See Configuring Cloudera Manager to Use an Internal Remote Parcel Repository for more information.
  3. Download, distribute, and activate the Navigator HSM KMS parcel. See Managing Parcels for detailed instructions on using parcels to install or upgrade components.
      Note: The KEYTRUSTEE_SERVER parcel in Cloudera Manager is not the Key Trustee KMS parcel; it is the Key Trustee Server parcel. The parcel name for Navigator HSM KMS backed by Thales HMS is KEYTRUSTEE.

Installing Navigator HSM KMS Backed by Thales HSM Using Packages

  1. After Setting Up an Internal Repository, configure the Navigator KMS Services backed by Thales HSM host to use the repository. See Configuring Hosts to Use the Internal Repository for more information.
  2. Because the keytrustee-keyprovider package depends on the hadoop-kms package, you must add the CDH repository. See Using an Internal Package Repository for instructions.
  3. Install the keytrustee-keyprovider package using the appropriate command for your operating system:
      Important: When installing via packages, be sure to install on each and every host on which you wish to run the HSM KMS service.
    • RHEL-compatible 
      $ sudo yum install keytrustee-keyprovider

Post-Installation Configuration

For instructions on configuring HSM KMS, see Enabling HDFS Encryption Using the Wizard.

Page generated July 25, 2018.