Connecting KeySecure HSM to CipherTrust Manager after migration from Key Secure HSM

How to configure the KeySecure HSM to connect to CipherTrust.

After the Thales team successfully migrates the keys from Key Secure HSM to CipherTrust Manager, you must configure the Key HSM to connect to CipherTrust. You must perform the following steps on both the Active and Passive KTS nodes.

The Thales team must have successfully migrated the keys from Key Secure HSM to CipherTrust Manager.

  1. Stop the Key HSM service.
    $ service keyhsm stop
  2. Back up the existing application.properties file.
  3. Optional: If SSL is enabled on CipherTrust Manager, run the following command:
    $ echo "thales_machine_ip nae.keysecure.local" >> /etc/hosts 
  4. Set up the Key HSM service.
    $ keyhsm setup keysecure
    -- Configuring keyHsm General Setup --
    Cloudera Recommends to use 127.0.0.1 as the listener port for Key HSM 
    Please enter Key HSM SSL listener IP address: [127.0.0.1]
    Will attempt to setup listener on 127.0.0.1
    Please enter Key HSM SSL listener PORT number: 9090
                            
    validate Port:                                    :[ Successful ]
                            
                            
     -- Ingrian HSM Credential Configuration --
    Please enter HSM login USERNAME: testuser (user created on CipherTrust Manager)
    Please enter HSM login PASSWORD: 
                            
    Please enter HSM IP Address or Hostname: ec2-3-144-233-194.us-east-2.compute.amazonaws.com
    Please enter HSM Port number: 9000
    Valid address:                                    :[ Successful ]
                            
    Use SSL? [Y/n] (As per the configuration done on CipherTrust Manager)
                            
                            
    Configuration saved in 'application.properties' file
    Configuration stored in: 'application.properties'. (Note: You can also use keyhsm settings to quickly view your current configuration)
  5. Validate the Key HSM.
    $ service keyhsm validate
    Check Key HSM is stopped                          :[ Successful ]
    Configuration Available                           :[ Successful ]
    Port 127.0.0.1:9090 available                     :[ Successful ]
    Unlimited-Strength JCE                            :[ Successful ]
    Validate cipher list                              :[ Successful ]
    HSM availability                                  :[ Successful ]
    All services available:                           :[ Successful ]
  6. Start the Key HSM service.
    $ service keyhsm start
    Starting KeyHSM, please wait...

    The KeyHSM service is started.

  7. Configure Key HSM to trust KTS by providing the full path to the file.
    $ keyhsm trust /var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee.pem
  8. Configure KTS to trust the Key HSM server.
    $ ktadmin keyhsm --server http://127.0.0.1:9090 --trust
  9. Restart KTS from Cloudera Manager.
  10. Restart Ranger KMS KTS service from Cloudera Manager.