Known Issues in Ranger KMS

Learn about the known issues in Ranger KMS, the impact or changes to the functionality, and the workaround.

CDPD-70115: Ranger KMS with Oracle DB not supported for Navigator Encrypt

Navigator Encrypt deposit registration is failing with Ranger KMS DB with Oracle DB setup with the following error:

java.sql.SQLSyntaxErrorException: ORA-02289: sequence does not exist Error Code: 2289

None.

CDPD-101323: Ranger KMS with KTS key export/import fails when using a custom keystore path

When migrating keys from KTS to the Ranger KMS DB, the Export keys from Ranger KMS KTS action (Cloudera Manager > Ranger KMS KTS > Actions > Export keys from Ranger KMS KTS) can fail if Ranger KMS with KTS is configured with a custom Key Trustee keystore path.

Perform the following steps before running the export action when using a custom Key Trustee keystore path:

On both Ranger KMS (with KTS) instances, manually create the default directory.
Set the ownership of the directory to kms:kms.
Align permissions with your custom path directory used by Ranger KMS with KTS.
Run the export action again from Cloudera Manager > Ranger KMS KTS > Actions > Export keys from Ranger KMS KTS.
- The export action might still report a failure during the verification step because it looks in the custom path.
- However, the keystore file migratedKeyStore.jceks is generated in the hardcoded default path.
Manually verify that the keystore has been created and is valid:
```
keytool -list -v \
  -keystore /var/lib/kms-keytrustee/migratedKeyStore.jceks \
  -storetype JCEKS
```
There is no password set for this keystore; you can just press Enter when prompted.
note
For the Import action, just keep the migratedKeyStore.jceks file on both the hosts of KMS servers under /var/lib/kms-keytrustee/ with ownership kms:kms and permissions same as your custom path.
Proceed with the remaining migration steps.