Migrating Keys from a Java KeyStore to Cloudera Navigator Key Trustee Server
You can migrate keys from an existing Java KeyStore (JKS) to Key Trustee Server to improve security, durability, and scalability.
- Stop the Java KeyStore KMS service.
- Add and configure the Key Trustee KMS service, and configure HDFS to use it for its KMS Service setting.
-
Restart the HDFS service and redeploy client configuration for this to take
effect.
- Home > Cluster-wide > Deploy Client Configuration
-
Add the following to the Key Management Server Proxy Advanced Configuration
Snippet (Safety Valve) for kms-site.xml (Key Trustee KMS Service > Configuration > Category > Advanced):
<property> <name>hadoop.kms.key.provider.uri</name> <value>keytrustee://file@/var/lib/kms-keytrustee/keytrustee/.keytrustee/,jceks://file@/path/to/kms.keystore</value> <description>URI of the backing KeyProvider for the KMS</description> </property> <property> <name>hadoop.security.keystore.java-keystore-provider.password-file</name> <value>/tmp/password.txt</value> <description>Java KeyStore password file</description> </property>
If the Java KeyStore is not password protected, omit thehadoop.security.keystore.java-keystore-provider.password-file
property. -
Click Save Changes and restart the Key Trustee KMS
service.
If the Java KeyStore is not password protected, skip to step 7.
-
Create the file
/var/lib/keytrustee-kms/jetty-deployment/webapps/kms/WEB-INF/classes/tmp/password.txt
and add the Java KeyStore password to it. -
Change the ownership of
/var/lib/keytrustee-kms/jetty-deployment/webapps/kms/WEB-INF/classes/tmp/password.txt
tokms:kms
.sudo chown kms:kms /var/lib/keytrustee-kms/jetty-deployment/webapps/kms/WEB-INF/classes/tmp/password.txt
-
From the host running the Key Trustee KMS service, if you have not configured Kerberos
and TLS/SSL, run the following command:
curl -L -d "trusteeOp=migrate" "http://kms01.example.com:16000/kms/v1/trustee/key/migrate?user.name=username&trusteeOp=migrate"
If you have configured Kerberos and TLS/SSL, use the following command instead:curl --negotiate -u : -L -d "trusteeOp=migrate" "https://kms01.example.com:16000/kms/v1/trustee/key/migrate?user.name=username&trusteeOp=migrate" --cacert /path/to/kms/cert
-
Monitor
/var/log/kms-keytrustee/kms.log
and/var/log/kms-keytrustee/kms-catalina.<date>.log
to verify that the migration is successful.You can also run sudo -u <key_admin> hadoop key list to verify that the keys are listed. - After you have verified that the migration is successful, remove the safety valve entry used in step 3 and restart the Key Trustee KMS service.