Installing Cloudera Navigator Key HSM

Cloudera Navigator Key HSM is a universal hardware security module (HSM) driver that translates between the target HSM platform and Cloudera Navigator Key Trustee Server. Navigator Key HSM allows you to use a Key Trustee Server to securely store and retrieve encryption keys and other secure objects, without being limited solely to a hardware-based platform.

You must install Key HSM on the same host as Key Trustee Server. See Data at Rest Encryption Requirements for more information about encryption and Key HSM requirements.

  1. Set up the Key HSM repository.

    Download the Key HSM tarball and create a local Key HSM repository with the files from the tarball.

    You must create an internal repository to install Cloudera Navigator Key HSM. For instructions on creating internal repositories, see Configuring a Local Package Repository.

  2. Install the Key HSM repository.

    Add the local Key HSM repository you created earlier. See Configuring a Local Package Repository for more information.

    Run the following command to import the GPG key:
    $ sudo rpm --import http://repo.example.com/path/to/RPM-GPG-KEY-cloudera
  3. Install the CDH repository.
    Key Trustee Server and Key HSM depend on the bigtop-utils package, which is included in the CDH repository. For instructions on adding the CDH repository, see Configuring a Local Package Repository.
  4. Install Navigator Key HSM.
    Run the following command to install the Navigator Key HSM package:
    sudo yum install keytrustee-keyhsm

    Cloudera Navigator Key HSM is installed to the /usr/share/keytrustee-server-keyhsm directory by default.

Additional steps for FIPS + JDK 11

FIPS specific jars need to be included in the Key HSM classpath before starting Key HSM.

  1. Locate the FIPS specific jars.
    For example,
    -rw-r--r-- 1 root root 4093016 Jan  7 20:00 com-safelogic-cryptocomply-fips-core.jar
    -rw-r--r-- 1 root root  759443 Jan  7 20:00 bctls.jar
  2. Navigate to the Key HSM base directory:
    cd /usr/share/keytrustee-server-keyhsm/
  3. Open the start script:
    vim start.sh
  4. Append the path for java -classpath variable to add the jars.
    Your path may vary as per your environment.
    Existing path :
    java -classpath "*:/usr/safenet/lunaclient/jsp/lib/*:/opt/nfast/java/classes/*:/opt/cloudhsm/java/*:/usr/share/keytrustee-server-keyhsm/conf/"
    After appending :
    java -classpath "*:/usr/safenet/lunaclient/jsp/lib/*:/opt/nfast/java/classes/*:/opt/cloudhsm/java/*:/usr/share/keytrustee-server-keyhsm/conf/:/cdep/extra_jars/*" -Djava.library.path=/usr/safenet/lunaclient/jsp/lib/:/opt/cloudhsm/lib/
  5. Start the Key HSM service.