Connecting KeySecure HSM to CipherTrust Manager after migration from Key Secure
HSM
How to configure the KeySecure HSM to connect to CipherTrust.
After the Thales team successfully migrates the keys from Key Secure HSM to
CipherTrust Manager, you must configure the Key HSM to connect to CipherTrust. You
must perform the following steps on both the Active and Passive KTS nodes.
The Thales team must have successfully migrated the keys from Key Secure HSM to
CipherTrust Manager.
Stop the Key HSM service.
$ service keyhsm stop
Backup the existing application.properties file.
Optional: If SSL is enabled on CipherTrust Manager, run the following command
-- Configuring keyHsm General Setup --
Cloudera Recommends to use 127.0.0.1 as the listener port for Key HSM
Please enter Key HSM SSL listener IP address: [127.0.0.1]
Will attempt to setup listener on 127.0.0.1
Please enter Key HSM SSL listener PORT number: 9090
validate Port: :[ Successful ]
-- Ingrian HSM Credential Configuration --
Please enter HSM login USERNAME: testuser (user created on CipherTrust Manager)
Please enter HSM login PASSWORD:
Please enter HSM IP Address or Hostname: ec2-3-144-233-194.us-east-2.compute.amazonaws.com
Please enter HSM Port number: 9000
Valid address: :[ Successful ]
Use SSL? [Y/n] (As per the configuration done on CipherTrust Manager)
Configuration saved in 'application.properties' file
Configuration stored in: 'application.properties'. (Note: You can also use keyhsm settings to quickly view your current configuration)
Validate the Key HSM.
$ service keyhsm validate
Check Key HSM is stopped :[ Successful ]
Configuration Available :[ Successful ]
Port 127.0.0.1:9090 available :[ Successful ]
Unlimited-Strength JCE :[ Successful ]
Validate cipher list :[ Successful ]
HSM availability :[ Successful ]
All services available: :[ Successful ]
Start the Key HSM service.
$ service keyhsm start
Starting KeyHSM, please wait...
KeyHSM started successfully
Configure Key HSM to trust KTS by providing the full path to the file.