Integrating Ranger KMS DB with CipherTrust Manager HSM

How to integrate Ranger KMS DB with CipherTrust Manager HSM.

This task describes how to integrate Ranger KMS DB with CipherTrust Manager Hardware Security Module (HSM). This process includes configuring the NAE port in Thales Cipher Trust Manager, configuring Ranger DB KMS to interact with Thales CipherTrust HSM, or, migrating Ranger KMS DB Master Key To CipherTrust Manager HSM, and migrating the master key from CipherTrust Manager HSM to Ranger KMS DB.

  • Ensure you have Thales CipherTrust Manger installed in your enivronment.
  • Ensure you have Java (jdk1.8.0.232) installed.
Configure NAE port in Thales CipherTrust Manager
  1. Log in to Thales CipherTrust Manager.
  2. In CipherTrust Manager > Admin Settings, select Add Interface.
  3. In Type, Select NAE (default).
  4. In Network Interface, selectAll.
  5. In Port, type a value for the port number.
  6. In Mode, select one of the following options to match your environment:
    • No TLS, user must supply password.
    • TLS, Ignore client cert. user must supply password.
  7. Click Add.
  8. If selected mode is TLS, ignore client cert, user must supply password while adding interface, then click Edit and Download Current Certificate as shown in the images below. Else, skip this step.
  9. After the certificate is downloaded (e.g -Certificate_nae.txt) copy it to Ranger KMS server
    Create a directory on Ranger KMS serverhost under /etc/security.
    mkdir etc/security/serverKeys
    and scp the downloaded certificate to this directory. Ensure that the user has required access to the file
    chown kms:kms etc/security/serverKeys/Certificate_nae.txt
    chmod 755 etc/security/serverKeysCertificate_nae.txt
  10. Create a user.
    1. Go toAccess Management > Users, click Create New User .
    2. In Create a New User, provide a username, password, and any required information.
    3. Click Create.