Connecting KeySecure HSM to CipherTrust Manager after migration from Key Secure HSM
How to configure the KeySecure HSM to connect to CipherTrust.
After the Thales team successfully migrates the keys from Key Secure HSM to CipherTrust Manager, you must configure the Key HSM to connect to CipherTrust. You must perform the following steps on both the Active and Passive KTS nodes.
The Thales team must have successfully migrated the keys from Key Secure HSM to CipherTrust Manager.
Stop the Key HSM service.
$ service keyhsm stop
- Back up the existing application.properties file.
If SSL is enabled on CipherTrust Manager, run the following
$ echo "thales_machine_ip nae.keysecure.local" >> /etc/hosts
Set up the Key HSM service.
$ keyhsm setup keysecure
-- Configuring keyHsm General Setup -- Cloudera Recommends to use 127.0.0.1 as the listener port for Key HSM Please enter Key HSM SSL listener IP address: [127.0.0.1] Will attempt to setup listener on 127.0.0.1 Please enter Key HSM SSL listener PORT number: 9090 validate Port: :[ Successful ] -- Ingrian HSM Credential Configuration -- Please enter HSM login USERNAME: testuser (user created on CipherTrust Manager) Please enter HSM login PASSWORD: Please enter HSM IP Address or Hostname: ec2-3-144-233-194.us-east-2.compute.amazonaws.com Please enter HSM Port number: 9000 Valid address: :[ Successful ] Use SSL? [Y/n] (As per the configuration done on CipherTrust Manager) Configuration saved in 'application.properties' file Configuration stored in: 'application.properties'. (Note: You can also use keyhsm settings to quickly view your current configuration)
Validate the Key HSM.
$ service keyhsm validate
Check Key HSM is stopped :[ Successful ] Configuration Available :[ Successful ] Port 127.0.0.1:9090 available :[ Successful ] Unlimited-Strength JCE :[ Successful ] Validate cipher list :[ Successful ] HSM availability :[ Successful ] All services available: :[ Successful ]
Start the Key HSM service.
$ service keyhsm start Starting KeyHSM, please wait...
The KeyHSM service is started.
Configure Key HSM to trust KTS by providing the full path to the file.
$ keyhsm trust /var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee.pem
Configure KTS to trust the Key HSM server.
$ ktadmin keyhsm --server http://127.0.0.1:9090 --trust
- Restart KTS from Cloudera Manager.
- Restart Ranger KMS KTS service from Cloudera Manager.