Validating Key HSM Settings
After you finish setting up Navigator Key HSM, you can check the configuration settings and verify that Key HSM is properly connected to your HSM.
After the setup completes, the Key HSM configuration is stored in
service keyhsm settingscommand:
$ sudo service keyhsm settings # keyHsm Server Configuration information: keyhsm.management.address : 172.19.1.2 keyhsm.server.port : 9090 keyhsm.management.port : 9899 keyhsm.service.port : 19791 keyhsm.hardware : ncipher # Module OCS Password thales.ocs_password : GIqhXDuZsj1Oet137Lb+f+tqkYvKYDm/8StefpNqZWwlB+LfSYlB4eHd endtYJio8qLjjbT+e7j2th5xf8O9t8FwfVguuyFW+6wdD uNGvse1LY/itCwqF0ScMlB1Mnz4010xqC6ylPW7l+0JjjkkqqM5gJJbl8lsQFFaIGVM/pY=
These settings can be manually configured by modifying the
application.properties file, with the exception of any passwords. These
are encrypted by design, and can only be changed by re-running the setup utility.
Verifying Key HSM Connectivity to HSM
To verify Hardware Security Module (HSM) operations using Key HSM, run the following
command on the Key Trustee Server host (which should also be the Key HSM host as
described in Installing Cloudera Navigator Key HSM):
curl -k https://keytrustee01.example.com:11371/test_hsm
If Key HSM operations to the HSM are successful, the command returns output similar to the following:
"Sample Key TEST_HELLO_DEPOSIT2016-06-03-072718 has been created"
You must run this command from the Key Trustee Server host. If you run it from a different host, the command returns an HTTP
If the command returns an HTTP
405error code, restart Key Trustee Server and try again.