Migrating Keys from a Java KeyStore to Cloudera Navigator Key Trustee Server
You can migrate keys from an existing Java KeyStore (JKS) to Key Trustee Server to improve
security, durability, and scalability. If you are using the Java KeyStore KMS service, and
want to use Key Trustee Server as the backing key store for HDFS Transparent
Encryption
, use the following procedure.
This procedure assumes that the Java KeyStore (JKS) is on the same host
as the new Key Trustee KMS service.
- Stop the Java KeyStore KMS service.
- Add and configure the Key Trustee KMS service, and configure HDFS to use it for its KMS Service setting.
- Restart the HDFS service and redeploy client configuration for this
to take effect:
- Add the following to the Key Management Server Proxy
Advanced Configuration Snippet (Safety Valve) for
kms-site.xml ( ):
<property> <name>hadoop.kms.key.provider.uri</name> <value>keytrustee://file@/var/lib/kms-keytrustee/keytrustee/.keytrustee/,jceks://file@/path/to/kms.keystore</value> <description>URI of the backing KeyProvider for the KMS</description> </property> <property> <name>hadoop.security.keystore.java-keystore-provider.password-file</name> <value>/tmp/password.txt</value> <description>Java KeyStore password file</description> </property>
If the Java KeyStore is not password protected, omit the
hadoop.security.keystore.java-keystore-provider.password-file
property. - Click Save Changes and restart the Key Trustee KMS service. If the Java KeyStore is not password protected, skip to step 7.
- Create the file
/var/lib/keytrustee-kms/jetty-deployment/webapps/kms/WEB-INF/classes/tmp/password.txt
and add the Java KeyStore password to it. - Change the ownership of
/var/lib/keytrustee-kms/jetty-deployment/webapps/kms/WEB-INF/classes/tmp/password.txt
tokms:kms
:sudo chown kms:kms /var/lib/keytrustee-kms/jetty-deployment/webapps/kms/WEB-INF/classes/tmp/password.txt
- From the host running the Key Trustee KMS service, if you have not
configured Kerberos and TLS/SSL, run the following
command:
curl -L -d "trusteeOp=migrate" "http://kms01.example.com:16000/kms/v1/trustee/key/migrate?user.name=username&trusteeOp=migrate"
If you have configured Kerberos and TLS/SSL, use the following command instead:
curl --negotiate -u : -L -d "trusteeOp=migrate" "https://kms01.example.com:16000/kms/v1/trustee/key/migrate?user.name=username&trusteeOp=migrate" --cacert /path/to/kms/cert
- Monitor
/var/log/kms-keytrustee/kms.log
and/var/log/kms-keytrustee/kms-catalina.<date>.log
to verify that the migration is successful. You can also runsudo -u <key_admin> hadoop key list
to verify that the keys are listed. - After you have verified that the migration is successful, remove the safety valve entry used in step 3 and restart the Key Trustee KMS service.