How to integrate Ranger KMS DB with CipherTrust Manager HSM.
This task describes how to integrate Ranger KMS DB with CipherTrust Manager Hardware
Security Module (HSM). This process includes configuring the NAE port in Thales
Cipher Trust Manager, configuring Ranger DB KMS to interact with Thales CipherTrust
HSM, or, migrating Ranger KMS DB Master Key To CipherTrust Manager HSM, and
migrating the master key from CipherTrust Manager HSM to Ranger KMS DB.
- Ensure you have Thales CipherTrust Manger installed in your enivronment.
- Ensure you have Java (jdk1.8.0.232) installed.
Configure NAE
port in Thales CipherTrust Manager
-
Log in to Thales CipherTrust Manager.
-
In , select Add Interface.
-
In Type, Select NAE (default).
-
In Network Interface,
selectAll.
-
In Port, type a value for the port number.
9000
-
In Mode, select one of the following options to match
your environment:
- No TLS,user must supply password.
- TLS, Ignore client cert. user must supply password.
-
Click Add.
-
If selected mode is
TLS,
ignore client cert, user must supply password while
adding interface, then click
Edit and Download Current Certificate as shown in the images
below.
Else,
skip this step.
-
After
the certificate
is
downloaded
(e.g
-Certificate_nae.txt)
copy it to Ranger KMS server
Create a directory on Ranger KMS serverhost under
/etc/security.
mkdir etc/security/serverKeys
and scp the downloaded
certificate to this directory. Ensure that the user has required access to the
file
chown kms:kms etc/security/serverKeys/Certificate_nae.txt
chmod 755 etc/security/serverKeysCertificate_nae.txt
-
Create a user.
-
Go to, click Create New User .
-
In Create a New User, provide a username,
password, and any required information.
-
Click Create.