Hints and Tips

There are a few hints and tips that can help simplify the HSM KMS installation when using the HDFS Encryption Wizard.

Limit the Number of ZooKeeper DEBUG Messages

When setting the KMS log level to DEBUG, there can be a lot of ZooKeeper DEBUG messages that clutter the log. To prevent this, in the Logging Advanced Configuration Snippet (Safety Valve) field, enter:
log4j.category.org.apache.zookeeper=INFO

Limit Encryption Zone Timeouts

When creating encryption zones, there can be client timeouts due to the time it takes to fill the encrypted data encryption key (EDEK) cache. To avoid this, adjust the low watermark threshold settings as follows.

On the server side, in the field HSM KMS Proxy Advanced Configuration Snippet (Safety Valve) for kms-site.xml:
<property>
   <name>hadoop.security.kms.encrypted.key.cache.low.watermark</name>
   <value>.03</value>
</property>
On the client side, in the field HDFS Cluster-wide Advanced Configuration Snippet (Safety Valve) for core-site.xml:
<property>
   <name>hadoop.security.kms.client.encrypted.key.cache.low-watermark</name>
   <value>.02</value>
</property>

Increase KMS Client Timeout Value

Due to potential latency during installation, it is recommended that you increase the KMS client timeout value.

Change from the default of 60 seconds to a value between 100 and 120 seconds in the field HDFS Cluster-wide Advanced Configuration Snippet (Safety Valve) for core-site.xml:
<property>
   <name>hadoop.security.kms.client.timeout</name>
   <value>110</value>
</property>