Cloudera Docs

Overriding custom keystore alias on a Ranger KMS Server

Use this procedure to override the custom keystore alias on a Ranger KMS server.

The custom keystore alias may need to be overridden in the following scenarios:

  • User has manually enabled TLS/SSL during fresh installations of Ranger KMS and Ranger KMS with Key Trustee Server (KTS), and the keystore alias was not added to the hostname.
  • User has upgraded from CDP-DC 7.0.3 with Key Trustee KMS and Ranger to CDP-DC 7.1.1 (where Ranger KMS with KTS is added during the upgrade) in a TLS/SSL environment in which TLS/SSL was manually enabled, and the keystore alias was not added to the hostname.

Overriding custom keystore alias while configuring TLS/SSL on a single instance of Ranger KMS Server

  1. In Cloudera Manager, select Ranger KMS > Configuration, and and search for ranger.service.https.attrib.keystore.keyalias to set the custom alias value for the Ranger KMS Server TLS/SSL Keystore File Alias configuration parameter.
  2. Click Save Changes.
  3. Restart the Ranger KMS service.

Overriding custom keystore alias while configuring TLS/SSL on multiple instances of Ranger KMS Server

  1. In Cloudera Manager, select Ranger KMS > Instances and select Ranger KMS Server role > Configuration. Use the Add (+) icons for the Ranger KMS Server Advanced Configuration Snippet (Safety valve) for conf/ranger-kms-site.xml property to add the following property: 
    ranger.service.https.attrib.keystore.keyalias = <expected alias>

    This overrides the configuration on the host on which the current Ranger KMS Server role is available.

  2. Repeat Step 1 for all the other Ranger KMS Servers to override the configuration by using the Ranger KMS Server Advanced Configuration Snippet (Safety valve) for conf/ranger-kms-site.xml property.
  3. Restart the Ranger KMS service.