Cloudera Docs

Configuring the SRM client’s secure storage

The SRM client’s secure storage is an intermediary keystore used to store sensitive security properties that are required to access the Kafka clusters that SRM connects to. If any of these clusters are secured, you need to set up and configure the secure storage, otherwise the srm-control tool will not function.

Based on the SRM service’s configuration, Cloudera Manager automatically generates a default configuration file that is used by the srm-control tool. The default configuration however does not contain any sensitive data (keystores, truststores, passwords) required to access the clusters. Instead, sensitive details are added to SRM’s secure storage, which is an intermediary keystore used to store sensitive data. Specifically, this secure storage will contain all the sensitive information required to access the Kafka clusters that SRM connects to and replicates.

The SRM client’s secure storage is not automatically created or populated with all the necessary information. As a result, before you can start using the tool, you must set up and configure the secure storage. This is done by configuring various configuration properties of the SRM service in Cloudera Manager.

  • Ensure that you have reviewed the information available in Configuring srm-control and understand that the following step list is only one part of the full configuration workflow. Depending on your scenario, completing other configuration tasks might be required.

  • Ensure that setup and configuration of the SRM service is complete:

    • The Kafka clusters that SRM connects to are defined and are added to the SRM service’s configuration. This includes both external and co-located clusters.

    • Replications are configured.

  1. In Cloudera Manager, go to Clusters and select the Streams Replication Manager service.
  2. Go to Configuration.
  3. Click Gateway in the Filters pane.
  4. Find and configure the following properties:
    SRM Client's Secure Storage Password
    The password used to access the secure storage. Take note of the password you configure. You need to provide it in your CLI session before running the tool.
    Environment Variable Holding SRM Client's Secure Storage Password
    The name of the environment variable that stores the secure storage password. Take note of the name that you configure. You need to set it in your CLI session before running the tool.
  5. Click Save Changes.
  6. Re-deploy client configuration.
If your co-located cluster is secured, you must manually configure the sensitive properties required to access the co-located cluster. Continue with one of the following tasks depending on the security configuration of the co-located cluster.
  • Configuring TLS/SSL properties
  • Configuring Kerberos properties
  • Configuring properties for non-Kerberos authentication mechanisms.

If the co-located cluster is not secured, continue with:

  • Setting the secure storage password as an environment variable