Initializing Navigator Key HSM

Key HSM is initialized using a series of CLI commands and prompts. The setup information you enter is dependent on which type of HSM you are using with Navigator Key HSM.

Before initializing Navigator Key HSM, verify that the HSM is properly configured and accessible from the Key HSM host, and that the HSM client libraries are installed on the Key HSM host:
  • SafeNet Luna

    Install the SafeNet Luna client. No additional configuration is needed.

  • SafeNet KeySecure

    Extract the KeySecure client tarball in the Key HSM library directory (/usr/share/keytrustee-server-keyhsm/).

  • Thales

    Install the Thales client service. Copy nCipherKM.jar, jcetools.jar, and rsaprivenc.jar from the installation media (usually located in opt/nfast/java/classes relative to the installation media mount point) to the Key HSM library directory (/usr/share/keytrustee-server-keyhsm/).

  • AWS CloudHSM

    Install the AWS CloudHSM client. No additional configuration is needed.

See your HSM product documentation for more information on installing and configuring your HSM and client libraries.
For Luna v7, the keyhsm user must be added to the hsmusers group with the following command:
sudo usermod -a -G hsmusers keyhsm
  1. To initialize Key HSM, use the service keyhsm setup command in conjunction with the name of the target HSM distribution:
    sudo service keyhsm setup [keysecure|thales|luna|cloudhsm]

    For all HSM distributions, you are prompted for the IP address and port number that Key HSM listens on.

    Cloudera recommends using the loopback address ( for the listener IP address and 9090 as the port number:
    -- Configuring keyHsm General Setup --
    Cloudera Recommends to use as the listener port for Key HSM
    Please enter Key HSM SSL listener IP address: []
    Will attempt to setup listener on
    Please enter Key HSM SSL listener PORT number: 9090
    validate Port:                                    :[ Successful ]
  2. If the setup utility successfully validates the listener IP address and port, you are prompted for additional information specific to your HSM. For HSM-specific instructions, continue to the HSM-Specific Setup for Cloudera Navigator Key HSM section for your HSM.
  3. The Key HSM keystore defaults to a strong, randomly-generated password. However, you can change the keystore password in the file:
    Next, run the service keyhsm setup command with the name of the HSM to which the keystore password applies. You will be prompted to enter the new keystore password, which must be a minimum of six characters in length:
    sudo service keyhsm setup [keysecure|thales|luna|cloudhsm]
  4. After initial setup, the configuration is stored in the /usr/share/keytrustee-server-keyhsm/ file, which contains human-readable configuration information for the Navigator Key HSM server.

    For additional details about keystores and truststores, see Understanding Keystores and Trustores.