HSM-Specific Setup for Cloudera Navigator Key HSM
Additional HSM-specific setup information for Key HSM.
SafeNet KeySecure
Prerequisites
Before setting up SafeNet KeySecure, be sure to:
- Set the protocol to
NAE-XML
- Set Allow Key and Policy Configuration Operations to
enabled
- Set Password Authentication to
required
- Disable Client Certificate Authentication
- Set KeySecure Crypto Operations to
activated
-- Ingrian HSM Credential Configuration --
Please enter HSM login USERNAME: keyhsm
Please enter HSM login PASSWORD: ******
Please enter HSM IP Address or Hostname: 172.19.1.135
Please enter HSM Port number: 9020
Valid address: :[ Successful ]
Use SSL? [Y/n] Y
[0] Version: 3
SerialNumber: 0
IssuerDN: C=US,ST=TX,L=Austin,O=ACME,OU=Dev,
CN=172.19.1.135,E=webadmin@example.com
Start Date: Thu Jan 29 09:55:57 EST 2015
Final Date: Sat Jan 30 09:55:57 EST 2016
SubjectDN: C=US,ST=TX,L=Austin,O=ACME,OU=Dev,
CN=172.19.1.135,E=webadmin@example.com
Public Key: RSA Public Key
modulus: abe4a8dcef92e145984309bd466b33b35562c7f875
1d1c406b1140e0584890272090424eb347647ba04b
34757cacc79652791427d0d8580a652c106bd26945
384b30b8107f8e15d2deba8a4e868bf17bb0207383
7cffef0ef16d5b5da5cfb4d3625c0affbda6320daf
7c6b6d8adfcb563960fcd1207c059300feb6513408
79dd2d929a5b986517531be93f113c8db780c92ddf
30f5c8bf2b0bea60359b67be306c520358cc0c3fc3
65500d8abeeac99e53cc2b369b2031174e72e6fca1
f9a4639e09240ed6d4a73073885868e814839b09d5
6aa98a5a1e230b46cdb4818321f546ac15567c5968
33be47ef156a73e537fd09605482790714f4a276e5
f126f935
public exponent: 10001
Signature Algorithm: SHA256WithRSAEncryption
Signature: 235168c68567b27a30b14ab443388039ff12357f
99ba439c6214e4529120d6ccb4a9b95ab25f81b4
7deb9354608df45525184e75e80eb0948eae3e15
c25c1d58c4f86cb9616dc5c68dfe35f718a0b6b5
56f520317eb5b96b30cd9d027a0e42f60de6dd24
5598d1fcea262b405266f484143a74274922884e
362192c4f6417643da2df6dd1a538d6d5921e78e
20a14e29ca1bb82b57c02000fa4907bd9f3c890a
bdae380c0b4dc68710deeaef41576c0f767879a7
90f30a4b64a6afb3a1ace0f3ced17ae142ee6f18
5eff64e8b710606b28563dd99e8367a0d3cbab33
2e59c03cadce3a5f4e0aaa9d9165e96d062018f3
6a7e8e3075c40a95d61ebc8db43d77e7
Extensions:
critical(false) BasicConstraints: isCa(true)
critical(false) NetscapeCertType: 0xc0
Trust this server? [y/N] Y
Trusted server: :[ Successful ]
CloudHSM
cloudhsm_mgmt_util
or key_mgmt_util
tool and verifying that the tool connects to the HSM successfully. After
validating this connection, you can exit the
tool:$ /opt/cloudhsm/bin/cloudhsm_mgmt_util /opt/cloudhsm/etc/cloudhsm_mgmt_util.cfg
Connecting to the server(s), it may take time
depending on the server(s) load, please wait...
Connecting to server '<hsm ip>': hostname '<hsm ip>', port 2225...
Connected to server '<hsm ip>': hostname '<hsm ip>', port 2225.
aws-cloudhsm>quit
-- Configuring CloudHSM --
Please enter the crypto user name: <username>
Please enter the crypto user password (input suppressed):
Configuration saved in 'application.properties' file
Configuration stored in: 'application.properties'. (Note: You can also use keyhsm settings to quickly view your current configuration)
Thales HSM
By default, the Thales HSM client process listens on ports 9000 and 9001. The Cloudera Manager agent also listens on port 9000. To prevent a port conflict, you must change the Thales client ports. Cloudera recommends using ports 11500 and 11501.
sudo /opt/nfast/bin/config-serverstartup --enable-tcp --enable-privileged-tcp --port=11500 --privport=11501
sudo /opt/nfast/sbin/init.d-ncipher restart
/usr/share/keytrustee-server-keyhsm/start.sh
file and
add the -DNFAST_SERVER_PORT=11500
Java system property.
For
example:java -classpath "*:/usr/safenet/lunaclient/jsp/lib/*:/opt/nfast/java/classes/*" -Djava.library.path=/usr/safenet/lunaclient/jsp/lib/ -DNFAST_SERVER_PORT=11500 com.cloudera.app.run.Program $@
nfkminfo
command to verify that the Thales HSM is properly configured:$ sudo /opt/nfast/bin/nfkminfo
World generation 2
state 0x17270000 Initialised Usable Recovery !PINRecovery !ExistingClient
RTC NVRAM FTO !AlwaysUseStrongPrimes SEEDebug
If state
reports !Usable
instead of Usable
, configure the Thales HSM before continuing. See the Thales product documentation for instructions.
Please enter the OCS Card Password (input suppressed):
Configuration saved in 'application.properties' file
Configuration stored in: 'application.properties'. (Note: You can also use service keyHsm settings to quickly view your current configuration)
Luna HSM
Before completing the Luna HSM setup, run the vtl
verify
command (usually located at
/usr/safenet/lunaclient/bin/vtl
) to verify that the
Luna HSM is properly configured.
-- Configuring SafeNet Luna HSM --
Please enter SafeNetHSM Slot Number: 1
Please enter SafeNet HSM password (input suppressed):
Configuration stored in: 'application.properties'. (Note: You can also use service keyHsm settings to quickly view your current configuration)
Configuration saved in 'application.properties' file
See the Luna product documentation for instructions on configuring your Luna HSM if you do not know what values to enter here.