Cloudera Docs

Integrating custom certificate with Key HSM

Learn how to integrate the custom certificate with Key HSM. This task mainly includes stopping the keyhsm service, backing up and deleting the existing certificate, add an application property, running the keyhsm setup, copying back the custom certificate, and start the keyhsm service

  1. Stop the keyhsm service. 
    service keyhsm stop
  2. Backup and delete the existing certificate which is the keystore file. 
    cp keystore /root/backup
rm -rf keystore
  3. Open the application.properties file and add the keyhsm.keystore.password.set= yes property. 
    vim application.properties
And property keyhsm.keystore.password.set= yes
  4. Run the keyhsm setup again. 
    [root@dskmsktscu-4 keytrustee-server-keyhsm]# keyhsm setup luna

-- Configuring keyHsm General Setup --
Cloudera Recommends to use 127.0.0.1 as the listener port for Key HSM 
Please enter Key HSM SSL listener IP address: [127.0.0.1]<fqdn>
e.g. Please enter Key HSM SSL listener IP address: [127.0.0.1]dskmsktscu-4.dskmsktscu.root.hwx.site
Will attempt to setup listener on dskmsktscu-4.dskmsktscu.root.hwx.site

Please enter Key HSM SSL listener PORT number: 9090
validate Port:                                    :[ Successful ]
Enter the KeyStore Password:
<Enter the custom password set for custom certificate>
This prompt will come because of step #3

-- Configuring SafeNet Luna HSM --
Please enter SafeNetHSM Slot Number: 0
Please enter SafeNet HSM password (input suppressed): 
Configuration stored in: 'application.properties'. (Note: You can also use keyhsm settings to quickly view your current configuration)
Configuration saved in 'application.properties' file
  5. Copy the custom certificate at the base location of keyhsm which is cd /usr/share/keytrustee-server-keyhsm.
    For example,
    cp /root/keystore.jks keystore

    File name of the custom certificate should be keystore. You can provide custom password.

  6. Start the keyhsm service. 
    service keyhsm start
  7. Configure KTS to trust the Key HSM server. 
    [root@dskmsktscu-4 keytrustee-server-keyhsm]# keyhsm trust /path/to/key_trustee_server/cert

[root@dskmsktscu-4 keytrustee-server-keyhsm]# ktadmin keyhsm --server https://<fqdn>:9090 --trust 
e.g. ktadmin keyhsm --server https://dskmsktscu-4.dskmsktscu.root.hwx.site:9090 --trust
  8. Restart keyhsm. 
    service keyhsm restart
  9. Restart the KTS from Cloudera Manager UI.