Security
Also available as:
PDF
loading table of contents...
Migrate HSM to Ranger DB

Steps

  1. If running, stop the Ranger KMS server.

  2. Go to the Ranger KMS directory: /usr/hdp/version/ranger-kms.

    [Note]Note

    DB details must be correctly configured to which KMS needs migration to (located in the xml config file of Ranger KMS).

  3. Run ./HSMMK2DB.sh provider HSM_PARTITION_NAME

    For example:

    ./HSMMK2DB.sh LunaProvider par19

  4. Enter the partition password.

  5. After the migration is completed: if you want to run Ranger KMS according to the new configuration (either with HSM enabled or disabled,) update the Ranger KMS properties if required.

  6. Start Ranger KMS.

    Note : After migration, when Ranger KMS is running with HSM disabled: from HSM, clear the Master Key object from the partition if it is not required as Master Key already being migrated to DB.

    Deleting the master key is a destructive operation. If the master key is lost, there is potential data loss - data under encryption zones cannot be recovered. Therefore, it is a best practice to keep backups of the master key in DB as well as HSM.