Configuring Ranger KMS to connect to TLS 1.2/TCPS-enabled databases
Updating the Ranger KMS Database JDBC Url Override and additional configuration to connect to the secure databases.
Ensure that TLS 1.2 has already been enabled on the Ranger KMS database.
-
Go to Cloudera Manager > Ranger KMS > Configuration and specify the following configuration values depending on the
database type
MySQL
Label Configuration Name Value Ranger KMS Database Type
ranger_kms_database_type
mysql Ranger KMS Database User ranger_kms_database_user
<username> Ranger KMS Database User Password ranger_kms_database_password
<password> Ranger KMS Database JDBC Url Override
ranger_kms_database_jdbc_url
jdbc:mysql://<DB-HOST>:<DB-PORT>/<RANGER-KMS-DB-NAME>?sslMode=VERIFY_CA&trustCertificateKeyStoreUrl=<PATH_TO_TRUSTSTORE_FILE>&trustCertificateKeyStoreType=jks&trustCertificateKeyStorePassword=<TRUSTSTORE_PASSWORD>&enabledTLSProtocols=TLSv1.2
Oracle
Label Configuration Name Value Ranger KMS Database Type
ranger_kms_database_type
oracle Ranger KMS Database User ranger_kms_database_user
<username> Ranger KMS Database User Password ranger_kms_database_password
<password> Ranger KMS Database JDBC Url Override
ranger_kms_database_jdbc_url
jdbc:oracle:thin:@tcps://<DB-HOST>:<DB-PORT>:<SERVICE_NAME>?javax.net.ssl.trustStore=<PATH_TO_TRUSTSTORE_FILE>&javax.net.ssl.trustStorePassword=<TRUSTSTORE_PASSWORD>&oracle.net.ssl_server_dn_match=false
PostgreSQL
Label Configuration Name Value Ranger KMS Database Type
ranger_kms_database_type
postgresql Ranger KMS Database User ranger_kms_database_user
<username> Ranger KMS Database User Password ranger_kms_database_password
<password> Ranger KMS Database JDBC Url Override
ranger_kms_database_jdbc_url
jdbc:postgresql://<DB-HOST>:<DB-PORT>/<RANGER-KMS-DB>?sslmode=verify-full&sslrootcert=<path-to-database-server-certificate>&enabledTLSProtocols=TLSv1.2
- Click Save Changes.