Integrating custom certificate with Key HSM

Learn how to integrate the custom certificate with Key HSM. This task mainly includes stopping the keyhsm service, backing up and deleting the existing certificate, add an application property, running the keyhsm setup, copying back the custom certificate, and start the keyhsm service

  1. Stop the keyhsm service.
    service keyhsm stop
  2. Backup and delete the existing certificate which is the keystore file.
    cp keystore /root/backup
    rm -rf keystore
  3. Open the file and add the keyhsm.keystore.password.set= yes property.
    And property keyhsm.keystore.password.set= yes
  4. Run the keyhsm setup again.
    [root@dskmsktscu-4 keytrustee-server-keyhsm]# keyhsm setup luna
    -- Configuring keyHsm General Setup --
    Cloudera Recommends to use as the listener port for Key HSM 
    Please enter Key HSM SSL listener IP address: []<fqdn>
    e.g. Please enter Key HSM SSL listener IP address: []
    Will attempt to setup listener on
    Please enter Key HSM SSL listener PORT number: 9090
    validate Port:                                    :[ Successful ]
    Enter the KeyStore Password:
    <Enter the custom password set for custom certificate>
    This prompt will come because of step #3
    -- Configuring SafeNet Luna HSM --
    Please enter SafeNetHSM Slot Number: 0
    Please enter SafeNet HSM password (input suppressed): 
    Configuration stored in: ''. (Note: You can also use keyhsm settings to quickly view your current configuration)
    Configuration saved in '' file
  5. Copy the custom certificate at the base location of keyhsm which is cd /usr/share/keytrustee-server-keyhsm.
    For example,
    cp /root/keystore.jks keystore

    File name of the custom certificate should be keystore. You can provide custom password.

  6. Start the keyhsm service.
    service keyhsm start
  7. Configure KTS to trust the Key HSM server.
    [root@dskmsktscu-4 keytrustee-server-keyhsm]# keyhsm trust /path/to/key_trustee_server/cert
    [root@dskmsktscu-4 keytrustee-server-keyhsm]# ktadmin keyhsm --server https://<fqdn>:9090 --trust 
    e.g. ktadmin keyhsm --server --trust 
  8. Restart keyhsm.
    service keyhsm restart
  9. Restart the KTS from Cloudera Manager UI.