Installing Ranger KMS backed with a Key Trustee Server and HA
The tasks and steps for installing the Ranger Key Management System (KMS) with High Availability (HA) that uses Key Trustee Server (KTS) as the backing key store.
This task uses the Set up HDFS Data At Rest Encryption wizard to install a Ranger KMS with HA that uses KTS as the backing key store.
The following image shows the Set up HDFS Data At Rest Encryption page. When you select your encryption keys root of trust option, a list of tasks that you must do to enable encryption to-and-from HDFS is displayed.
You complete each task independently from the other tasks. Where, the task’s Status column indicates whether the step has been completed and the Notes column provides additional context for the task. If your Cloudera Manager user account does not have sufficient privileges to complete a task, the Notes column indicates the privileges that are required.
- Enable Kerberos
- Enable TLS/SSL
- Add a dedicated cluster for the Key Trustee Servers
- Install the Key Trustee Server binary using packages or parcels
- Add the Key Trustee Service
- Add the Ranger KMS with Key Trustee Server Service
- Restart the stale services and redeploy the client configuration
- Validate the Data Encryption
- Update the KMS with Key Trustee Server service's URL
- Create a Ranger Audit Directory
- Update the Ranger KMS with Key Trustee Server configuration settings
- The cluster in which Cloudera Manager and the Cloudera Ranger service is installed, is up and running.
- The Cloudera Manager host has access to your internal repository hosting the Key Trustee Server (KTS) software.
- Communication through secure connections is enabled with the Transport Layer Security (TLS) protocol and your network authentication is enabled with the Kerberos protocol.
Adding an External Dedicated Cluster for the Key Trustee Server Service
The Set up HDFS Data At Rest Encryption wizard's installation step adds a dedicated cluster for the Key Trustee Server (KTS) service.
Describes the steps that add a dedicated cluster for the Key Trustee Server service, which sets up the Cloudera Manager agent and Key Trustee Server parcel and creates a new cluster specifically for the Key Trustee Server hosts. Isolating the Key Trustee Server host from other services adds another layer of security.
Installing the Key Trustee Server to the Dedicated Cluster
The Set up HDFS Data At Rest Encryption wizard's installation step adds the Key Trustee Server service to dedicated cluster created in the previous step.
Describes the steps that add the Key Trustee Server service, which enables you to select each Active and Passive Key Trustee Servers for HA, synchronizes the server's Private Keys, and starts them.
The Active Key Trustee Server host is the primary server and the Passive Key Trustee Server host is the backup server that takes over when the primary server disconnects or fails. The primary and backup combination provides a highly-available and continuous operation.
Installing the Ranger KMS with Key Trustee Server Service
The Set up HDFS Data At Rest Encryption wizard's installation step adds the Ranger KMS with Key Trustee Server service.
Describes the steps that add the Ranger KMS with KTS service, which enables the HDFS encryption to use the Key Trustee Server for cryptographic key management.
Restarting the Stale Services and Redeploying the Client Configuration
The Set up HDFS Data At Rest Encryption wizard's step for restarting stale services and redeploying the client configuration.
Describes the steps that restart stale services after installing the Data-at-Rest HDFS Ranger KMS service option on your cluster.
Validating Data Encryption to-and-from HDFS
The Set up HDFS Data At Rest Encryption wizard's step for validating the data encryption to-and-from HDFS.
Describes the steps which verify that the Data-at-Rest HDFS Ranger KMS service option can successfully encrypt your data to-and-from HDFS.
Post-Tasks for the Data-at-Rest HDFS Ranger KMS Service
The post-tasks that you must perform after you have set up the Data-at-Rest HDFS Ranger KMS service option.
Describes the post-task steps.
- Update the Data-at-Rest HDFS Ranger KMS service's URL
- Create a Ranger Audit Directory
- (Ranger KMS with Key Trustee Server service only) Update the Authentication Properties and KMS Hadoop cache settings
Updating the Ranger KMS with KTS Service Configuration Properties
Describes the authentication and other property settings that you update after you have set up the Ranger KMS backed with a Key Trustee Server and HA service.
Describes the steps that update the Ranger KMS with Key Trustee Server service's authentication and KMS Hadoop cache settings.