HSM-Specific Setup for Cloudera Navigator Key HSM

Additional HSM-specific setup information for Key HSM.

SafeNet KeySecure

Prerequisites

Before setting up SafeNet KeySecure, be sure to:

  • Set the protocol to NAE-XML
  • Set Allow Key and Policy Configuration Operations to enabled
  • Set Password Authentication to required
  • Disable Client Certificate Authentication
  • Set KeySecure Crypto Operations to activated
For additional details about SafeNet KeySecure settings, see the SafeNet KeySecure product documentation.
After entering the Key HSM listener IP address and port, the HSM setup for SafeNet KeySecure prompts for login credentials, the IP address of the KeySecure HSM, and the port number:
-- Ingrian HSM Credential Configuration --
Please enter HSM login USERNAME: keyhsm
Please enter HSM login PASSWORD: ******

Please enter HSM IP Address or Hostname: 172.19.1.135
Please enter HSM Port number: 9020
If the connection is successful, the following message is displayed:
Valid address:                                    :[ Successful ]
The KeySecure setup utility then prompts you whether to use SSL:
Use SSL? [Y/n] Y
If you choose to use SSL, Key HSM attempts to resolve the server certificate, and prompts you to trust the certificate:
  [0]         Version: 3
         SerialNumber: 0
             IssuerDN: C=US,ST=TX,L=Austin,O=ACME,OU=Dev,
CN=172.19.1.135,E=webadmin@example.com
           Start Date: Thu Jan 29 09:55:57 EST 2015
           Final Date: Sat Jan 30 09:55:57 EST 2016
            SubjectDN: C=US,ST=TX,L=Austin,O=ACME,OU=Dev,
CN=172.19.1.135,E=webadmin@example.com
           Public Key: RSA Public Key
            modulus: abe4a8dcef92e145984309bd466b33b35562c7f875
                     1d1c406b1140e0584890272090424eb347647ba04b
                     34757cacc79652791427d0d8580a652c106bd26945
                     384b30b8107f8e15d2deba8a4e868bf17bb0207383
                     7cffef0ef16d5b5da5cfb4d3625c0affbda6320daf
                     7c6b6d8adfcb563960fcd1207c059300feb6513408
                     79dd2d929a5b986517531be93f113c8db780c92ddf
                     30f5c8bf2b0bea60359b67be306c520358cc0c3fc3
                     65500d8abeeac99e53cc2b369b2031174e72e6fca1
                     f9a4639e09240ed6d4a73073885868e814839b09d5
                     6aa98a5a1e230b46cdb4818321f546ac15567c5968
                     33be47ef156a73e537fd09605482790714f4a276e5
                     f126f935
    public exponent: 10001

  Signature Algorithm: SHA256WithRSAEncryption
            Signature: 235168c68567b27a30b14ab443388039ff12357f
                       99ba439c6214e4529120d6ccb4a9b95ab25f81b4
                       7deb9354608df45525184e75e80eb0948eae3e15
                       c25c1d58c4f86cb9616dc5c68dfe35f718a0b6b5
                       56f520317eb5b96b30cd9d027a0e42f60de6dd24
                       5598d1fcea262b405266f484143a74274922884e
                       362192c4f6417643da2df6dd1a538d6d5921e78e
                       20a14e29ca1bb82b57c02000fa4907bd9f3c890a
                       bdae380c0b4dc68710deeaef41576c0f767879a7
                       90f30a4b64a6afb3a1ace0f3ced17ae142ee6f18
                       5eff64e8b710606b28563dd99e8367a0d3cbab33
                       2e59c03cadce3a5f4e0aaa9d9165e96d062018f3
                       6a7e8e3075c40a95d61ebc8db43d77e7
       Extensions:
                       critical(false) BasicConstraints: isCa(true)
                       critical(false) NetscapeCertType: 0xc0

Trust this server? [y/N] Y

Trusted server:                                   :[ Successful ]

CloudHSM

Before completing the CloudHSM setup, verify that the CloudHSM connection is properly configured by running either the cloudhsm_mgmt_util or key_mgmt_util tool and verifying that the tool connects to the HSM successfully. After validating this connection, you can exit the tool:
$ /opt/cloudhsm/bin/cloudhsm_mgmt_util /opt/cloudhsm/etc/cloudhsm_mgmt_util.cfg

Connecting to the server(s), it may take time
depending on the server(s) load, please wait...

Connecting to server '<hsm ip>': hostname '<hsm ip>', port 2225...
Connected to server '<hsm ip>': hostname '<hsm ip>', port 2225.
aws-cloudhsm>quit
After entering the Key HSM listener IP address and port identifier, the HSM setup for CloudHSM prompts you for: the crypto user name and crypto user password.
-- Configuring CloudHSM --
Please enter the crypto user name: <username>
Please enter the crypto user password  (input suppressed):

Configuration saved in 'application.properties' file
Configuration stored in: 'application.properties'. (Note: You can also use keyhsm settings to quickly view your current configuration)

Thales HSM

By default, the Thales HSM client process listens on ports 9000 and 9001. The Cloudera Manager agent also listens on port 9000. To prevent a port conflict, you must change the Thales client ports. Cloudera recommends using ports 11500 and 11501.

To change the Thales client ports, run the following commands:
sudo /opt/nfast/bin/config-serverstartup --enable-tcp --enable-privileged-tcp --port=11500 --privport=11501
sudo /opt/nfast/sbin/init.d-ncipher restart
To configure Key HSM to use the modified port, edit the /usr/share/keytrustee-server-keyhsm/start.sh file and add the -DNFAST_SERVER_PORT=11500 Java system property. For example:
java -classpath "*:/usr/safenet/lunaclient/jsp/lib/*:/opt/nfast/java/classes/*" -Djava.library.path=/usr/safenet/lunaclient/jsp/lib/ -DNFAST_SERVER_PORT=11500 com.cloudera.app.run.Program $@
Before completing the Thales HSM setup, run the nfkminfo command to verify that the Thales HSM is properly configured:
$ sudo /opt/nfast/bin/nfkminfo
  World generation  2
  state       0x17270000 Initialised Usable Recovery !PINRecovery !ExistingClient
              RTC  NVRAM FTO !AlwaysUseStrongPrimes SEEDebug

If state reports !Usable instead of Usable, configure the Thales HSM before continuing. See the Thales product documentation for instructions.

After entering the Key HSM listener IP address and port, the HSM setup for Thales prompts for the OCS card password:
Please enter the OCS Card Password (input suppressed):

Configuration saved in 'application.properties' file
Configuration stored in: 'application.properties'. (Note: You can also use service keyHsm settings to quickly view your current configuration)

Luna HSM

Before completing the Luna HSM setup, run the vtl verify command (usually located at /usr/safenet/lunaclient/bin/vtl) to verify that the Luna HSM is properly configured.

After entering the Key HSM listener IP address and port, the HSM setup for Luna prompts for the slot number and password:
-- Configuring SafeNet Luna HSM --
Please enter SafeNetHSM Slot Number: 1
Please enter SafeNet HSM password (input suppressed):
Configuration stored in: 'application.properties'. (Note: You can also use service keyHsm settings to quickly view your current configuration)
Configuration saved in 'application.properties' file

See the Luna product documentation for instructions on configuring your Luna HSM if you do not know what values to enter here.