Cloudera Enterprise 6.0.x | Other versions

Initializing Navigator Key HSM

Before initializing Navigator Key HSM, verify that the HSM is properly configured and accessible from the Key HSM host, and that the HSM client libraries are installed on the Key HSM host:
  • SafeNet Luna

    Install the SafeNet Luna client. No additional configuration is needed.

  • SafeNet KeySecure

    Extract the KeySecure client tarball in the Key HSM library directory (/usr/share/keytrustee-server-keyhsm/).

  • Thales

    Install the Thales client service. Copy nCipherKM.jar, jcetools.jar, and rsaprivenc.jar from the installation media (usually located in opt/nfast/java/classes relative to the installation media mount point) to the Key HSM library directory (/usr/share/keytrustee-server-keyhsm/).

See your HSM product documentation for more information on installing and configuring your HSM and client libraries.
  Note: When using an HSM with Key Trustee Server and Navigator Encrypt, encrypting a many block devices may exceed the capacity of the HSM. For example, encrypting MapReduce spill files requires encrypting each HDFS data directory or disk on each node, each with its own encryption key. On a 10-node cluster with 12 disks per node, this requires 120 keys. Make sure that your HSM can support your encryption requirements.
To initialize Key HSM, use the service keyhsm setup command in conjunction with the name of the target HSM distribution:
$ sudo service keyhsm setup [keysecure|thales|luna]

For all HSM distributions, this first prompts for the IP address and port number that Key HSM listens on.

  Important: If you have implemented Key Trustee Server high availability, initialize Key HSM on each Key Trustee Server.
Cloudera recommends using the loopback address (127.0.0.1) for the listener IP address and 9090 as the port number:
-- Configuring keyHsm General Setup --
Cloudera Recommends to use 127.0.0.1 as the listener port for Key HSM
Please enter Key HSM SSL listener IP address: [127.0.0.1]127.0.0.1
Will attempt to setup listener on 127.0.0.1
Please enter Key HSM SSL listener PORT number: 9090

validate Port:                                    :[ Successful ]

If the setup utility successfully validates the listener IP address and port, you are prompted for additional information specific to your HSM. For HSM-specific instructions, continue to the HSM-Specific Setup for Cloudera Navigator Key HSM section for your HSM.

The Key HSM keystore defaults to a strong, randomly-generated password. However, you can change the keystore password in the application.properties file:

keyhsm.keystore.password.set=yes
Then, run the service keyhsm setup command with the name of the HSM to which the keystore password applies. You will be prompted to enter the new keystore password, which must be a minimum of six characters in length:
$ sudo service keyhsm setup [keysecure|thales|luna]

After initial setup, the configuration is stored in the /usr/share/keytrustee-server-keyhsm/application.properties file, which contains human-readable configuration information for the Navigator Key HSM server.

  Important: The truststore file created during Key HSM initialization must be stored at /usr/share/keytrustee-server-keyhsm/. There is no way to change the default location.

For additional details about keystores and truststores, see Understanding Keystores and Truststores.

Page generated July 25, 2018.