This is the documentation for Cloudera Enterprise 5.8.x. Documentation for other versions is available at Cloudera Documentation.

Initializing Navigator Key HSM

Before initializing Navigator Key HSM, verify that the HSM is properly configured and accessible from the Key HSM host, and that the HSM client libraries are installed on the Key HSM host:
  • SafeNet Luna

    Install the SafeNet Luna client. No additional configuration is needed.

  • SafeNet KeySecure

    Extract the KeySecure client tarball in the Key HSM library directory (/usr/share/keytrustee-server-keyhsm/).

  • Thales

    Install the Thales client service. Copy nCipherKM.jar, jcetools.jar, and rsaprivenc.jar from the installation media (usually located in opt/nfast/java/classes relative to the installation media mount point) to the Key HSM library directory (/usr/share/keytrustee-server-keyhsm/).

See your HSM product documentation for more information on installing and configuring your HSM and client libraries.
  Note: When using an HSM with Key Trustee Server and Navigator Encrypt, encrypting a large number of directories may exceed the capacity of the HSM. For example, encrypting MapReduce spill files requires encrypting each HDFS data directory or disk on each node, each with its own encryption key. On a 10-node cluster with 12 disks per node, this requires 120 keys. Make sure that your HSM can support your encryption requirements.
To initialize Key HSM, use the service keyhsm setup command in conjunction with the name of the target HSM distribution: 
$ sudo service keyhsm setup [keysecure|thales|luna]

For all HSM distributions, this first prompts for the IP address and port number that Key HSM listens on.

  Important: If you have implemented Key Trustee Server high availability, initialize Key HSM on each Key Trustee Server.

Cloudera recommends using the loopback address (127.0.0.1) for the listener IP address and 9090 as the port number.

If the setup utility successfully validates the listener IP address and port, you are prompted for additional information specific to your HSM. For HSM-specific instructions, continue to the HSM-Specific Setup for Cloudera Navigator Key HSM section for your HSM.

After initial setup, configuration is stored in the /usr/share/keytrustee-server-keyhsm/application.properties file, which contains human-readable configuration information for the Navigator Key HSM server.

Page generated July 8, 2016.