Set up CipherTrust HSM for Ranger KMS, KTS, and KeyHSM

How to integrate Ranger KMS, KTS and KeyHSM with the CipherTrust HSM appliance.

This task describes how to set up the CipherTrust hardware security moudule (HSM) appliance provided by Thales. The process describes configuring the NAE port using CipherTrust Manager, setting up and configuring KeyHSM in your cluster, and validating keys using CipherTrust Manager.

You must:
  • Have Thales CipherTrust Manger installed in your enivronment.
  • Have Ranger Key Management System, Key Trustee Server and Key HSM installed in your environment.
  • Have Java (jdk1.8.0.232) installed

See related topics for more information about installing Ranger KMS, KTS and KeyHSM.

Configure NAE port in Thales CipherTrust Manager

  1. Log in to Thales CipherTrust Manager.
  2. In CipherTrust Manager > Admin Settings, select Add Interface.
  3. In Type, Select NAE (default).
  4. In Network Interface, selectAll.
  5. In Port, type a value for the port number.
    9000
  6. In Mode, select one of the following options to match your environment:
    • No TLS, user must supply password.
    • TLS, Ignore client cert. user must supply password.
  7. Click Add.
  8. Create a user.
    1. In Access Management > Users, click Create New User .
    2. In Create a New User, provide a username, password, and any any required information.
    3. Click Create.
Setting up a cluster and configuring KeyHSM
  1. In your Key HSM root directory, make sure that appropriate versions of KeyHSM files are available with proper permissions.
    cd /usr/share/keytrustee-server-keyhsm/ 
  2. Only if SSL is enabled on CipherTrust Manager:
    echo "thales_machine_ip  nae.keysecure.local" >> /etc/hosts              
  3. Setup Key HSM service.
    keyhsm setup keysecure
    -- Configuring keyHsm General Setup --
    Cloudera Recommends to use 127.0.0.1 as the listener port for Key HSM 
    Please enter Key HSM SSL listener IP address: [127.0.0.1] Hit Enter
    Will attempt to setup listener on 127.0.0.1
    Please enter Key HSM SSL listener PORT number: 9090
    
    validate Port:                                    :[ Successful ]
    
    -- Ingrian HSM Credential Configuration --
    Please enter HSM login USERNAME: username
    Please enter HSM login PASSWORD: password
    
    Please enter HSM IP Address or Hostname: 18.218.251.172
    Please enter HSM Port number: 9000
    Valid address:                                    :[ Successful ]
    
    Use SSL? [Y/n] Y (If TSL is enabled on NAE port then press Y else type n and hit enter and act accordingly)
    
    org.bouncycastle.cert.X509CertificateHolder@f20f09ff
    org.bouncycastle.cert.X509CertificateHolder@ebb30faf
    Trust this server? [y/N] y
    
    Trusted server:                                   :[ Successful ]                      
  4. Validate Key HSM Service.
    $ service keyhsm validate 
  5. Start the Key HSM service.
    $ service keyhsm start
  6. Configure Key HSM to trust KTS
    $ keyhsm trust /var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee.pem
  7. Configure KTS to trust the Key HSM server.
    $ ktadmin keyhsm --server http://127.0.0.1:9090 --trust 
  8. Restart Key HSM.
    $ service keyhsm restart 
  9. Restart the KTS from Cloudera Manager UI.
  10. Test the HSM.
    curl -k https://$(hostname -f):11371/test_hsm                
  11. Login to the Ranger UI using keyadmin user role for creating an encryption zone key and do further validation.
Validating Keys in Cipher Trust HSM
  1. In Thales Cipher Trust Manager > Left Navigation Panel, click Keys.
Keys created in the second to last step should be present, as shown in:
Figure 1. Validating Keys in CipherTrust Manager
Validating Keys in CipherTrust Manager
Further keys for zone operation can be created using Ranger UI with keyadmin role credentials and also using hadoop commands.