Cloudera Docs

Configure High Availability for Ranger KMS with DB

Use the following steps to configure high availability for Ranger KMS with an associated keystore database.

  1. In Cloudera Manager, select Ranger KMS, then select Actions > Add Role Instances.
  2. On the Assign Roles page, click Select hosts.
  3. On the selected hosts page, select a backup Ranger KMS host. A Ranger KMS (RK) icon appears in the Added Roles column for the selected host. Click OK to continue.
  4. The Assign Roles page is redisplayed with the new backup host. Click Continue.
  5. Review the settings on the Review Changes page, then click Continue.
  6. The new role instance appears on the Ranger KMS page. If the new Ranger KMS instance was not started by the wizard, you can start the service by clicking Actions > Start in the Ranger KMS service.
  7. In Cloudera Manager, select the Ranger service, click Ranger Admin Web UI, then log in as the Ranger KMS user (the default credentials are keyadmin/admin123). Click the Edit icon for the cm_kms service, then update the KMS URL property.
    • Add the new KMS host using the following format:

      kms://http@<kms_host1>;http@<kms_host2>:<kms_port>/kms

    • The default port is 9292. For example:

      kms://http@kms_host1;http@kms_host2:9292/kms

    • If SSL is enabled, use https and port 9494. For example:

      kms://http@kms_host1;http@kms_host2:9494/kms

    Click Test Connection to confirm the settings, then click Save to save your changes.

  8. In Cloudera Manager click the Ranger KMS service, then select Actions > Create Ranger Plugin Audit Directory.
  9. In Cloudera Manager, select Ranger KMS, then click Configuration.
    1. Use the Add (+) icons for the Ranger KMS Server Advanced Configuration Snippet (Safety Valve) for conf/kms-site.xml property to add the following properties, then click Save Changes.
      • hadoop.kms.authentication.zk-dt-secret-manager.enable = true
      • hadoop.kms.authentication.zk-dt-secret-manager.zkConnectionString = <Zookeeper hostname>:2181
      • hadoop.kms.authentication.zk-dt-secret-manager.znodeWorkingPath = <provide a znode working path other than /zkdtsm to avoid collision>

        For example:

        hadoop.kms.authentication.zk-dt-secret-manager.znodeWorkingPath = testzkkms

      • hadoop.kms.authentication.zk-dt-secret-manager.zkAuthType = sasl
      • hadoop.kms.authentication.zk-dt-secret-manager.kerberos.keytab = {{CMF_CONF_DIR}}/ranger_kms.keytab
  10. Update the following Ranger KMS configuration properties, then click Save Changes.
    • hadoop.kms.authentication.signer.secret.provider = zookeeper
    • hadoop.kms.authentication.signer.secret.provider.zookeeper.auth.type = sasl
  11. Verify that the hadoop.kms.cache.enable property is set to the default value of true (the check box is selected).
  12. Click the Stale Configuration Restart icon.
  13. On the Stale Configurations page, click Restart Stale Services.
  14. On the Restart Stale Services page, select the Re-deploy client configuration checkbox, then click Restart Now.
  15. A progress indicator page appears while the services are being restarted. When the services have restarted, click Finish.