Setting
up CipherTrust HSM for Ranger KMS, KTS, and KeyHSM
How to integrate Ranger KMS,
KTS,
and KeyHSM with the CipherTrust HSM appliance.
This task
describes how to set up the CipherTrust hardware security moudule (HSM) appliance
provided by Thales. The process describes configuring the NAE port using CipherTrust
Manager, setting up and configuring KeyHSM in your cluster, and validating keys
using CipherTrust
Manager.
You must have
installed the following in your environment:
Thales
CipherTrust Manger
.
Ranger Key Management System, Key Trustee Server and Key
HSM
Java (jdk1.8.0.232)
See related topics for more information about installing Ranger KMS, KTS and
KeyHSM.
Configuring NAE port in Thales CipherTrust
Manager
Log in to Thales CipherTrust Manager.
In CipherTrust Manager > Admin Settings, select Add Interface.
In Type, Select NAE (default).
In Network Interface,
selectAll.
In Port, type a value for the port number.
9000
In Mode, select one of the following options to match
your environment:
No TLS, user must supply password.
TLS, Ignore client cert. user must supply password.
Click Add.
Create a user.
In Access Management > Users, click Create New User .
In Create a New User, provide a username,
password, and
other
required information.
Click Create.
Setting up a cluster and configuring KeyHSM
In your Key HSM root directory, make sure that appropriate versions of KeyHSM
files are available with proper permissions.
cd /usr/share/keytrustee-server-keyhsm/
If
SSL is enabled on CipherTrust
Manager run
the following command:
-- Configuring keyHsm General Setup --
Cloudera Recommends to use 127.0.0.1 as the listener port for Key HSM
Please enter Key HSM SSL listener IP address: [127.0.0.1] Hit Enter
Will attempt to setup listener on 127.0.0.1
Please enter Key HSM SSL listener PORT number: 9090
validate Port: :[ Successful ]
-- Ingrian HSM Credential Configuration --
Please enter HSM login USERNAME: username
Please enter HSM login PASSWORD: password
Please enter HSM IP Address or Hostname: 18.218.251.172
Please enter HSM Port number: 9000
Valid address: :[ Successful ]
Use SSL? [Y/n] Y (If TSL is enabled on NAE port then press Y else type n and hit enter and act accordingly)
org.bouncycastle.cert.X509CertificateHolder@f20f09ff
org.bouncycastle.cert.X509CertificateHolder@ebb30faf
Trust this server? [y/N] y
Trusted server: :[ Successful ]
Login to the Ranger UI using keyadmin user role for creating an encryption zone
key and do further validation.
Validating Keys in Cipher Trust HSM
In Thales Cipher Trust Manager > Left Navigation Panel, click Keys.
Keys created in the
second
to last step should be present, as shown
in:Further keys for zone operation can be created using Ranger UI with keyadmin role
credentials and also using hadoop commands.