Cloudera Enterprise 5.15.x | Other versions

Installing Navigator HSM KMS Backed by Luna HSM

  Important: Following these instructions installs the required software to add the Navigator KMS Services backed by Luna HSM to your cluster; this enables you to use a supported Luna HSM as the underlying keystore for HDFS Transparent Encryption.
Navigator HSM KMS backed by Luna HSM is a custom Key Management Server (KMS) that uses a supported Luna HSM as the underlying keystore, instead of the file-based Java KeyStore (JKS) used by the default Hadoop KMS.
  Important: Navigator HSM KMS backed by Luna HSM is supported only in Cloudera Manager deployments. You can install the software using parcels or packages, but running Navigator HSM KMS backed by Luna HSM outside of Cloudera Manager is not supported.

Client Prerequisites

Navigator HSM KMS backed by Luna HSM is supported on Luna HSMs only. The Luna HSM client must be installed first.

For details about the required Luna software and firmware, refer to CDH 5 and Cloudera Manager 5 Requirements and Supported Versions, and scroll to the section "Navigator HSM KMS: Recommended Hardware and Supported Distributions".

Before performing the Luna HSM KMS setup, run the vt1 verify command (located at /usr/safenet/lunaclient/bin/vtl) to verify that the Luna HSM is configured correctly. See the Luna product documentation for details about how to configure the Luna HSM client.

Setting Up an Internal Repository

You must create an internal repository to install Navigator HSM KMS backed by Luna HSM. For instructions on creating internal repositories (including Cloudera Manager, CDH, and Cloudera Navigator encryption components), see Creating and Using a Parcel Repository for Cloudera Manager if you are using parcels, or Creating and Using a Package Repository for Cloudera Managerif you are using packages.

Installing Navigator HSM KMS Backed by Luna HSM Using Parcels

  1. Go to Hosts > Parcels.
  2. Click Configuration and add your internal repository to the Remote Parcel Repository URLs section. See Configuring the Cloudera Manager Server to Use the Parcel URL for Hosted Repositories for more information.
  3. Download, distribute, and activate the Navigator HSM KMS parcel. See Managing Parcels for detailed instructions on using parcels to install or upgrade components.
      Note: The KEYTRUSTEE_SERVER parcel in Cloudera Manager is not the Key Trustee KMS parcel; it is the Key Trustee Server parcel. The parcel name for Navigator HSM KMS backed by Luna HSM is KEYTRUSTEE.

Installing Navigator HSM KMS Backed by Luna HSM Using Packages

  1. After Setting Up an Internal Repository, configure the Navigator HSM KMS backed by Luna HSM host to use the repository. See Modifying Clients to Find the Repository for more information.
  2. Because the keytrustee-keyprovider package depends on the hadoop-kms package, you must add the CDH repository. See To add the CDH repository for instructions. If you want to create an internal CDH repository, see Creating a Local Yum Repository.
  3. Install the keytrustee-keyprovider package using the appropriate command for your operating system:
      Important: When installing via packages, be sure to install on each and every host on which you wish to run the HSM KMS service.
    • RHEL-compatible 
      $ sudo yum install keytrustee-keyprovider

Post-Installation Configuration

For instructions on configuring HSM KMS, see Enabling HDFS Encryption Using the Wizard.

Page generated May 18, 2018.