Registering Cloudera Navigator Encrypt

Prerequisites

Functioning Ranger KMS

After installing Navigator Encrypt on a host, you must register the host with Ranger KMS.

Master Password

The Master Key is the primary Navigator Encrypt administrator access code and is configured by the Navigator Encrypt administrator during installation. The Master Key can take any one of three different forms:
  • If you choose a passphrase (single), it must be between 15 and 32 characters long.
  • If you choose passphrase (dual), both must be between 15 and 32 characters long.
  • If you choose the RSA option, enter a path to the RSA key file, and if it has RSA passphrase, enter it for this private key.

Registering with Ranger KMS

After installing Navigator Encrypt on a host, you must register the host with Ranger KMS in order to encrypt and decrypt data. The following section lists the command options for registering your Navigator Encrypt client.

If the TLS certificate is signed by an internal CA that is not publicly recognized, then you must add the root certificate to the host certificate truststore of each Navigator Encrypt client.

Example command:
sudo navencrypt register --server=https://rangerkms01.example.com:9494 --passive-server=https://rangerkms02.example.com:9494  --skip-ssl-check --kms -m 'https
Table 1. Registration Options - Ranger KMS
Command Option Explanation
--server=URL Specify the Key Manager active server url.
--passive-server=URL Specify the Key Manager passive server url.
--skip-ssl-check Skip the SSL certificate check if this option is passed.
--kms The Key Manager Server is Ranger KMS.
--scheme "<scheme>" Ranger KMS scheme that Navigator Encrypt uses for public key operations. Specify "http" or "https".

Updating Ranger KMS Ports

The navencrypt register command does not provide the ability to change the ports for existing registrations. If the Ranger KMS ports are changed, you must update ztrustee.conf with the new port and scheme parameters (HKP_PORT and HKP_SCHEME, respectively).

If the Ranger KMS is updated to use port 9494 for both key storage and public key operations, you must update ztrustee.conf as follows :
Example :
            {
            "LOCAL_FINGERPRINT":    "2048R/3C818490979EDED9915AEC34E03D413CB2ABE631",
            "REMOTES":      {
            "dktsmig-2.vpc.cloudera.com":  {
            "REMOTE_FINGERPRINT":   "4096R/391A464B50C40BDFAE7C70D3975DD0B149B2680E",
            "REMOTE_SERVER":        "https://dktsmig-2.vpc.cloudera.com:9494",
            "HKP_PORT":     9494,
            "HKP_SCHEME":   "https",
            "DEFAULT":      true,
            "HKP_TIMEOUT":  60,
            "REMOTE_SERVERS":       ["https://dktsmig-2.vpc.cloudera.com:9494", "https://dktsmig-1.vpc.cloudera.com:9494"],
            "SSL_INSECURE": true,
            "PROTOCOL":     "json-cleartext",
            "IS_KMS":       true
            }
            }
            }