Migrate the Ranger KMS KTS role instance to a new host

After migrating the Ranger Admin, Ranger KMS db role instances to a new host, migrate the Ranger KMS KTS role instance.

Only if Ranger KMS is backed by Key Trustee Server for key storage, should you migrate the Ranger KMS KTS role instance.

Add a new Ranger KMS KTS role instance on another node.

note
If you enabled manual SSL on this cluster, you must update the SSL configs when adding a new role.
Start the new Ranger KMS KTS role instance.
Stop the initial Ranger KTS service.
Delete the older Ranger KTS instance.
Restart the cluster.
Login to Ranger Admin UI using keyadmin credentials.
Update the cm_kms service to use the kms url that refers to the new hostname.

Copy or rsync conf and gpg files such as keytrustee.conf, pubring.gpp and secring.gpg present at /var/lib/kms-keytrustee/keytrustee/.keytrustee/ from older host to new host. For example:

[root@mm-ktslog-1 ~]# ll /var/lib/kms-keytrustee/keytrustee/.keytrustee/
total 20
-rw------- 1 kms kms  715 Oct  7 10:59 keytrustee.conf
-rw------- 1 kms kms 5026 Oct  7 10:59 pubring.gpg
-rw------- 1 kms kms 4885 Oct  7 10:59 secring.gpg

Restart the Ranger KMS KTS service.

Migrate the Ranger KMS KTS role instance to a new host

We want your opinion

How can we improve this page?