Registering Cloudera Navigator Encrypt
Prerequisites
Functioning Ranger KMS
After installing Navigator Encrypt on a host, you must register the host with Ranger KMS.
Master Password
- If you choose a passphrase (single), it must be between 15 and 32 characters long.
- If you choose passphrase (dual), both must be between 15 and 32 characters long.
- If you choose the RSA option, enter a path to the RSA key file, and if it has RSA passphrase, enter it for this private key.
Registering with Ranger KMS
After installing Navigator Encrypt on a host, you must register the host with Ranger KMS in order to encrypt and decrypt data. The following section lists the command options for registering your Navigator Encrypt client.
If the TLS certificate is signed by an internal CA that is not publicly recognized, then you must add the root certificate to the host certificate truststore of each Navigator Encrypt client.
sudo navencrypt register --server=https://rangerkms01.example.com:9494 --passive-server=https://rangerkms02.example.com:9494 --skip-ssl-check --kms -m 'https
Command Option | Explanation |
---|---|
--server=URL |
Specify the Key Manager active server url. |
--passive-server=URL |
Specify the Key Manager passive server url. |
--skip-ssl-check |
Skip the SSL certificate check if this option is passed. |
--kms |
The Key Manager Server is Ranger KMS. |
--scheme
"<scheme>" |
Ranger KMS scheme that Navigator Encrypt uses for public key operations.
Specify "http" or "https" . |
Updating Ranger KMS Ports
The navencrypt register
command does not provide the ability to change
the ports for existing registrations. If the Ranger KMS ports are changed, you must update
ztrustee.conf
with the new port and scheme parameters
(HKP_PORT
and HKP_SCHEME
, respectively).
ztrustee.conf
as follows
:Example :
{
"LOCAL_FINGERPRINT": "2048R/3C818490979EDED9915AEC34E03D413CB2ABE631",
"REMOTES": {
"dktsmig-2.vpc.cloudera.com": {
"REMOTE_FINGERPRINT": "4096R/391A464B50C40BDFAE7C70D3975DD0B149B2680E",
"REMOTE_SERVER": "https://dktsmig-2.vpc.cloudera.com:9494",
"HKP_PORT": 9494,
"HKP_SCHEME": "https",
"DEFAULT": true,
"HKP_TIMEOUT": 60,
"REMOTE_SERVERS": ["https://dktsmig-2.vpc.cloudera.com:9494", "https://dktsmig-1.vpc.cloudera.com:9494"],
"SSL_INSECURE": true,
"PROTOCOL": "json-cleartext",
"IS_KMS": true
}
}
}