Set up CipherTrust HSM for Ranger KMS, KTS, and KeyHSM
How to integrate Ranger KMS, KTS and KeyHSM with the CipherTrust HSM appliance.
This task describes how to set up the CipherTrust hardware security moudule (HSM) appliance provided by Thales. The process describes configuring the NAE port using CipherTrust Manager, setting up and configuring KeyHSM in your cluster, and validating keys using CipherTrust Manager.
- Have Thales CipherTrust Manger installed in your enivronment.
- Have Ranger Key Management System, Key Trustee Server and Key HSM installed in your environment.
- Have Java (jdk184.108.40.206) installed.
See related topics for more information about installing Ranger KMS, KTS and KeyHSM.
Configure NAE port in Thales CipherTrust Manager
- Log in to Thales CipherTrust Manager.
- In Add Interface. , select
- In Type, Select NAE (default).
- In Network Interface, selectAll.
In Port, type a value for the port number.
In Mode, select one of the following options to match
- No TLS, user must supply password.
- TLS, Ignore client cert. user must supply password.
- Click Add.
Create a user.
- In Create New User . , click
- In Create a New User, provide a username, password, and any any required information.
- Click Create.
In your Key HSM root directory, make sure that appropriate versions of KeyHSM
files are available with proper permissions.
Only if SSL is enabled on CipherTrust Manager:
echo "thales_machine_ip nae.keysecure.local" >> /etc/hosts
Setup Key HSM service.
keyhsm setup keysecure
-- Configuring keyHsm General Setup -- Cloudera Recommends to use 127.0.0.1 as the listener port for Key HSM Please enter Key HSM SSL listener IP address: [127.0.0.1] Hit Enter Will attempt to setup listener on 127.0.0.1 Please enter Key HSM SSL listener PORT number: 9090 validate Port: :[ Successful ] -- Ingrian HSM Credential Configuration -- Please enter HSM login USERNAME: username Please enter HSM login PASSWORD: password Please enter HSM IP Address or Hostname: 220.127.116.11 Please enter HSM Port number: 9000 Valid address: :[ Successful ] Use SSL? [Y/n] Y (If TSL is enabled on NAE port then press Y else type n and hit enter and act accordingly) org.bouncycastle.cert.X509CertificateHolder@f20f09ff org.bouncycastle.cert.X509CertificateHolder@ebb30faf Trust this server? [y/N] y Trusted server: :[ Successful ]
Validate Key HSM Service.
$ service keyhsm validate
Start the Key HSM service.
$ service keyhsm start
Configure Key HSM to trust KTS.
$ keyhsm trust /var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee.pem
Configure KTS to trust the Key HSM server.
$ ktadmin keyhsm --server http://127.0.0.1:9090 --trust
Restart Key HSM.
$ service keyhsm restart
- Restart the KTS from Cloudera Manager UI.
Test the HSM.
curl -k https://$(hostname -f):11371/test_hsm
- Login to the Ranger UI using keyadmin user role for creating an encryption zone key and do further validation.
- In Keys. , click