Migrating Keys from a Java KeyStore to Cloudera Navigator Key Trustee Server
You can migrate keys from an existing Java KeyStore (JKS) to Key Trustee Server to improve security, durability, and scalability.
This procedure assumes that the Java KeyStore (JKS) is on the same host as the new Key Trustee KMS service.
- Stop the Java KeyStore KMS service.
- Add and configure the Key Trustee KMS service, and configure HDFS to use it for its KMS Service setting.
Restart the HDFS service and redeploy client configuration for this to take
Add the following to the Key Management Server Proxy Advanced Configuration
Snippet (Safety Valve) for kms-site.xml ( ):
<property> <name>hadoop.kms.key.provider.uri</name> <value>keytrustee://file@/var/lib/kms-keytrustee/keytrustee/.keytrustee/,jceks://file@/path/to/kms.keystore</value> <description>URI of the backing KeyProvider for the KMS</description> </property> <property> <name>hadoop.security.keystore.java-keystore-provider.password-file</name> <value>/tmp/password.txt</value> <description>Java KeyStore password file</description> </property>If the Java KeyStore is not password protected, omit the
Click Save Changes and restart the Key Trustee KMS
If the Java KeyStore is not password protected, skip to step 7.
Create the file
/var/lib/keytrustee-kms/jetty-deployment/webapps/kms/WEB-INF/classes/tmp/password.txtand add the Java KeyStore password to it.
Change the ownership of
sudo chown kms:kms /var/lib/keytrustee-kms/jetty-deployment/webapps/kms/WEB-INF/classes/tmp/password.txt
From the host running the Key Trustee KMS service, if you have not configured Kerberos
and TLS/SSL, run the following command:
curl -L -d "trusteeOp=migrate" "http://kms01.example.com:16000/kms/v1/trustee/key/migrate?user.name=username&trusteeOp=migrate"If you have configured Kerberos and TLS/SSL, use the following command instead:
curl --negotiate -u : -L -d "trusteeOp=migrate" "https://kms01.example.com:16000/kms/v1/trustee/key/migrate?user.name=username&trusteeOp=migrate" --cacert /path/to/kms/cert
/var/log/kms-keytrustee/kms-catalina.<date>.logto verify that the migration is successful.You can also run sudo -u <key_admin> hadoop key list to verify that the keys are listed.
- After you have verified that the migration is successful, remove the safety valve entry used in step 3 and restart the Key Trustee KMS service.