Cloudera Docs

Migrating Keys from a Java KeyStore to Cloudera Navigator Key Trustee Server

You can migrate keys from an existing Java KeyStore (JKS) to Key Trustee Server to improve security, durability, and scalability. If you are using the Java KeyStore KMS service, and want to use Key Trustee Server as the backing key store for HDFS Transparent Encryption, use the following procedure.

This procedure assumes that the Java KeyStore (JKS) is on the same host as the new Key Trustee KMS service.
  1. Stop the Java KeyStore KMS service.
  2. Add and configure the Key Trustee KMS service, and configure HDFS to use it for its KMS Service setting.
  3. Restart the HDFS service and redeploy client configuration for this to take effect:
    1. Home > Cluster-wide > Deploy Client Configuration
  4. Add the following to the Key Management Server Proxy Advanced Configuration Snippet (Safety Valve) for kms-site.xml (Key Trustee KMS Service > Configuration > Category > Advanced):
    <property>
  <name>hadoop.kms.key.provider.uri</name>
  <value>keytrustee://file@/var/lib/kms-keytrustee/keytrustee/.keytrustee/,jceks://file@/path/to/kms.keystore</value>
  <description>URI of the backing KeyProvider for the KMS</description>
</property>

<property>
  <name>hadoop.security.keystore.java-keystore-provider.password-file</name>
  <value>/tmp/password.txt</value>
  <description>Java KeyStore password file</description>
</property>

    If the Java KeyStore is not password protected, omit the hadoop.security.keystore.java-keystore-provider.password-file property.

  5. Click Save Changes and restart the Key Trustee KMS service. If the Java KeyStore is not password protected, skip to step 7.
  6. Create the file /var/lib/keytrustee-kms/jetty-deployment/webapps/kms/WEB-INF/classes/tmp/password.txt and add the Java KeyStore password to it.
  7. Change the ownership of /var/lib/keytrustee-kms/jetty-deployment/webapps/kms/WEB-INF/classes/tmp/password.txt to kms:kms:
    sudo chown kms:kms /var/lib/keytrustee-kms/jetty-deployment/webapps/kms/WEB-INF/classes/tmp/password.txt
  8. From the host running the Key Trustee KMS service, if you have not configured Kerberos and TLS/SSL, run the following command:
    curl -L -d "trusteeOp=migrate" "http://kms01.example.com:16000/kms/v1/trustee/key/migrate?user.name=username&trusteeOp=migrate"

    If you have configured Kerberos and TLS/SSL, use the following command instead:

    curl --negotiate -u : -L -d "trusteeOp=migrate" "https://kms01.example.com:16000/kms/v1/trustee/key/migrate?user.name=username&trusteeOp=migrate" --cacert /path/to/kms/cert
  9. Monitor /var/log/kms-keytrustee/kms.log and /var/log/kms-keytrustee/kms-catalina.<date>.log to verify that the migration is successful. You can also run sudo -u <key_admin> hadoop key list to verify that the keys are listed.
  10. After you have verified that the migration is successful, remove the safety valve entry used in step 3 and restart the Key Trustee KMS service.