Hortonworks Docs » Hortonworks Data Platform 3.1.5 » Configuring Apache HDFS Encryption
Configuring Apache HDFS Encryption
Also available as:
PDF
loading table of contents...

Install Multiple Ranger KMS

Multiple services can be set up for high availability of Ranger KMS. HDFS interacts with the active process. Follow these steps to install Ranger KMS on multiple nodes.

An instance with more than one node.
  1. First install Ranger KMS on a single node (see “Installing the Ranger Key Management Service”).
  2. Next, add the Ranger KMS service to another node. In the Ambari Web UI for the additional node, go to Ranger KMS service → Summary → Service Actions → Add Ranger KMS server.


  3. After adding Ranger KMS server, Ambari will show a pop-up message.
  4. Press OK. Ambari will modify two HDFS properties, hadoop.security.key.provider.path and dfs.encryption.key.provider.uri.
  5. Restart the HDFS service:

  6. For the Ranger KMS service, go to the Advanced kms-site list and change the following property values: 
     hadoop.kms.cache.enable=false 
 hadoop.kms.cache.timeout.ms=0 
 hadoop.kms.current.key.cache.timeout.ms=0 
 hadoop.kms.authentication.signer.secret.provider=zookeeper 
 hadoop.kms.authentication.signer.secret.provider.zookeeper.connection.string={zookeeper-node1}:2181,{zookeeper-node2}:2181,{zookeeper-node3}:2181... 
 hadoop.kms.authentication.signer.secret.provider.zookeeper.auth.type=none
  7. From Ambari > Ranger KMS > Configs > Advanced > Custom kms-site, add the following property values: 
    hadoop.kms.authentication.zk-dt-secret-manager.enable=true
  8. Save your configuration changes and restart the Ranger KMS service.
  9. Next, check connectivity from Ranger admin for the newly-added Ranger KMS server:
    1. Go to the Ranger UI: http://<gateway>:6080.
    2. Login with your keyadmin user ID and password (the defaults are keyadmin, keyadmin; these should be changed as soon as possible after installation). The default repository will be added under Ranger KMS service.
    3. Under Config properties of the Ranger KMS URL, add the newly added Ranger KMS server FQDN. For example:

      Previous Ranger KMS URL = kms://http@<internal host name>:9292/kms

      New Ranger KMS URL = kms://http@<RangerKMS-node1>;<RangerKMS-node2>;...:9292/kms

    4. Run a test connection for the service. You should see a ‘connected successfully’ message.
    5. Choose the Audit > Plugin tab.
    6. Check whether plugins are communicating. The UI should display HTTP Response Code = 200 for the respective plugin.
© 2012–2019, Hortonworks, Inc.
Document licensed under the Creative Commons Attribution ShareAlike 4.0 License.
Hortonworks.com | Documentation | Support | Community