Initializing Navigator Key HSM

Key HSM is initialized using a series of CLI commands and prompts. The setup information you enter is dependent on which type of HSM you are using with Navigator Key HSM.

Before initializing Navigator Key HSM, verify that the HSM is properly configured and accessible from the Key HSM host, and that the HSM client libraries are installed on the Key HSM host:

SafeNet Luna
Install the SafeNet Luna client. No additional configuration is needed.
SafeNet KeySecure
Extract the KeySecure client tarball in the Key HSM library directory (/usr/share/keytrustee-server-keyhsm/).
Thales
Install the Thales client service. Copy nCipherKM.jar, jcetools.jar, and rsaprivenc.jar from the installation media (usually located in opt/nfast/java/classes relative to the installation media mount point) to the Key HSM library directory (/usr/share/keytrustee-server-keyhsm/).
AWS CloudHSM
Install the AWS CloudHSM client. No additional configuration is needed.

See your HSM product documentation for more information on installing and configuring your HSM and client libraries.

note

These steps need to be performed for Ranger KMS KTS with KeyHSM with runtime JDK 17

Open the keyhsm startup script.

vim /usr/share/keytrustee-server-keyhsm/start.sh

Export java home.

export JAVA_HOME=/usr/lib/jvm/jdk1.17.0-openjdk

Export JAVA options mentioned below.

export _JAVA_OPTIONS="--add-opens=java.base/sun.security.rsa=ALL-UNNAMED --add-opens=java.base/com.sun.crypto.provider=ALL-UNNAMED"

Change the java command at the end accordingly
```
${JAVA_HOME}/bin/java
```

This is an example of a start.sh script.

KEYHSM_HOME_DIR=/usr/share/keytrustee-server-keyhsm
          
export JAVA_HOME=/usr/lib/jvm/jdk1.17.0-openjdk
          
export _JAVA_OPTIONS="--add-opens=java.base/sun.security.rsa=ALL-UNNAMED --add-opens=java.base/com.sun.crypto.provider=ALL-UNNAMED"
          
PROPERTIES=${KEYHSM_HOME_DIR}/application.properties
          
maxHeap=`grep "^keyhsm.jvm.heap.mx.gb" ${PROPERTIES} | awk -F= '{print $NF}' | tr -d '[:space:]'`
if [ -z "$maxHeap" ]; then
  maxHeap=2
fi
          
${JAVA_HOME}/bin/java -classpath "*:/usr/safenet/lunaclient/jsp/lib/*:/opt/nfast/java/classes/*:/opt/cloudhsm/java/*:/usr/share/keytrustee-server-keyhsm/conf/" -Djava.library.path=/usr/safenet/lunaclient/jsp/lib/:/opt/cloudhsm/lib/ -Dlogback.configurationFile=/usr/share/keytrustee-server-keyhsm/conf/logback.xml -Djdk.tls.trustNameService=true -Xms1g -Xmx${maxHeap}g com.cloudera.app.run.Program $@

For Luna v7, the keyhsm user must be added to the hsmusers group with the following command:

sudo usermod -a -G hsmusers keyhsm

To initialize Key HSM, use the service keyhsm setup command in conjunction with the name of the target HSM distribution:
```
sudo service keyhsm setup [keysecure|thales|luna|cloudhsm]
```
For all HSM distributions, you are prompted for the IP address and port number that Key HSM listens on.

important
If you have implemented Key Trustee Server high availability, initialize Key HSM on each Key Trustee Server.
Cloudera recommends using the loopback address (127.0.0.1) for the listener IP address and 9090 as the port number:
```
-- Configuring keyHsm General Setup --
Cloudera Recommends to use 127.0.0.1 as the listener port for Key HSM
Please enter Key HSM SSL listener IP address: [127.0.0.1]127.0.0.1
Will attempt to setup listener on 127.0.0.1
Please enter Key HSM SSL listener PORT number: 9090

validate Port:                                    :[ Successful ]
```
If the setup utility successfully validates the listener IP address and port, you are prompted for additional information specific to your HSM. For HSM-specific instructions, continue to the HSM-Specific Setup for Cloudera Navigator Key HSM section for your HSM.
The Key HSM keystore defaults to a strong, randomly-generated password. However, you can change the keystore password in the application.properties file:
```
keyhsm.keystore.password.set=yes
```
Next, run the service keyhsm setup command with the name of the HSM to which the keystore password applies. You will be prompted to enter the new keystore password, which must be a minimum of six characters in length:
```
sudo service keyhsm setup [keysecure|thales|luna|cloudhsm]
```
After initial setup, the configuration is stored in the /usr/share/keytrustee-server-keyhsm/application.properties file, which contains human-readable configuration information for the Navigator Key HSM server.

important
The truststore file created during Key HSM initialization must be stored at /usr/share/keytrustee-server-keyhsm/. There is no way to change the default location.

For additional details about keystores and truststores, see Understanding Keystores and Trustores.