Validating Key HSM Settings

After you finish setting up Navigator Key HSM, you can check the configuration settings and verify that Key HSM is properly connected to your HSM.

After the setup completes, the Key HSM configuration is stored in /usr/share/keytrustee-server-keyhsm/application.properties.

You can view these settings using the service keyhsm settings command:
$ sudo service keyhsm settings

  # keyHsm Server Configuration information:
  keyhsm.management.address : 172.19.1.2
  keyhsm.server.port : 9090
  keyhsm.management.port : 9899
  keyhsm.service.port : 19791
  keyhsm.hardware : ncipher

  # Module OCS Password
  thales.ocs_password :
    GIqhXDuZsj1Oet137Lb+f+tqkYvKYDm/8StefpNqZWwlB+LfSYlB4eHd
    endtYJio8qLjjbT+e7j2th5xf8O9t8FwfVguuyFW+6wdD
    uNGvse1LY/itCwqF0ScMlB1Mnz4010xqC6ylPW7l+0JjjkkqqM5gJJbl8lsQFFaIGVM/pY=

These settings can be manually configured by modifying the application.properties file, with the exception of any passwords. These are encrypted by design, and can only be changed by re-running the setup utility.

Verifying Key HSM Connectivity to HSM

  1. To verify Hardware Security Module (HSM) operations using Key HSM, run the following command on the Key Trustee Server host (which should also be the Key HSM host as described in Installing Cloudera Navigator Key HSM):
    curl -k https://keytrustee01.example.com:11371/test_hsm

    If Key HSM operations to the HSM are successful, the command returns output similar to the following:

    "Sample Key TEST_HELLO_DEPOSIT2016-06-03-072718 has been created"

    You must run this command from the Key Trustee Server host. If you run it from a different host, the command returns an HTTP 403 error code.

  2. If the command returns an HTTP 405 error code, restart Key Trustee Server and try again.