Configuring Ranger KMS to connect to TLS 1.2/TCPS-enabled databases

Updating the Ranger KMS Database JDBC Url Override and additional configuration to connect to the secure databases.

Ensure that TLS 1.2 has already been enabled on the Ranger KMS database.

  1. Go to Cloudera Manager > Ranger KMS > Configuration and specify the following configuration values depending on the database type

    MySQL

    Label Configuration Name Value

    Ranger KMS Database Type

    ranger_kms_database_type

    mysql
    Ranger KMS Database User

    ranger_kms_database_user

    <username>
    Ranger KMS Database User Password

    ranger_kms_database_password

    <password>

    Ranger KMS Database JDBC Url Override

    ranger_kms_database_jdbc_url

    jdbc:mysql://<DB-HOST>:<DB-PORT>/<RANGER-KMS-DB-NAME>?sslMode=VERIFY_CA&trustCertificateKeyStoreUrl=<PATH_TO_TRUSTSTORE_FILE>&trustCertificateKeyStoreType=jks&trustCertificateKeyStorePassword=<TRUSTSTORE_PASSWORD>&enabledTLSProtocols=TLSv1.2

    Oracle

    Label Configuration Name Value

    Ranger KMS Database Type

    ranger_kms_database_type

    oracle
    Ranger KMS Database User

    ranger_kms_database_user

    <username>
    Ranger KMS Database User Password

    ranger_kms_database_password

    <password>

    Ranger KMS Database JDBC Url Override

    ranger_kms_database_jdbc_url

    jdbc:oracle:thin:@tcps://<DB-HOST>:<DB-PORT>:<SERVICE_NAME>?javax.net.ssl.trustStore=<PATH_TO_TRUSTSTORE_FILE>&javax.net.ssl.trustStorePassword=<TRUSTSTORE_PASSWORD>&oracle.net.ssl_server_dn_match=false

    PostgreSQL

    Label Configuration Name Value

    Ranger KMS Database Type

    ranger_kms_database_type

    postgresql
    Ranger KMS Database User

    ranger_kms_database_user

    <username>
    Ranger KMS Database User Password

    ranger_kms_database_password

    <password>

    Ranger KMS Database JDBC Url Override

    ranger_kms_database_jdbc_url

    jdbc:postgresql://<DB-HOST>:<DB-PORT>/<RANGER-KMS-DB>?sslmode=verify-full&sslrootcert=<path-to-database-server-certificate>&enabledTLSProtocols=TLSv1.2

  2. Click Save Changes.