Hints and Tips
There are a few hints and tips that can help simplify the HSM KMS installation when using the HDFS Encryption Wizard.
Limit the Number of ZooKeeper DEBUG Messages
When setting the KMS log level to DEBUG, there can be a lot of
ZooKeeper DEBUG messages that clutter the log. To prevent this, in the
Logging Advanced Configuration Snippet (Safety Valve) field,
enter:
log4j.category.org.apache.zookeeper=INFO
Limit Encryption Zone Timeouts
When creating encryption zones, there can be client timeouts due to the time it takes to fill the encrypted data encryption key (EDEK) cache. To avoid this, adjust the low watermark threshold settings as follows.
On the server side, in the field HSM KMS Proxy Advanced Configuration Snippet (Safety
Valve) for
kms-site.xml:
<property>
<name>hadoop.security.kms.encrypted.key.cache.low.watermark</name>
<value>.03</value>
</property>
On the client side, in the field HDFS Cluster-wide Advanced Configuration Snippet
(Safety Valve) for
core-site.xml:<property>
<name>hadoop.security.kms.client.encrypted.key.cache.low-watermark</name>
<value>.02</value>
</property>
Increase KMS Client Timeout Value
Due to potential latency during installation, it is recommended that you increase the KMS client timeout value.
Change from the default of 60 seconds to a value between 100 and 120 seconds in the field
HDFS Cluster-wide Advanced Configuration Snippet (Safety Valve) for
core-site.xml:
<property>
<name>hadoop.security.kms.client.timeout</name>
<value>110</value>
</property>