Cloudera Docs

Migrating the Master Key from Ranger KMS DB to Luna HSM

How to migrate the master key from Ranger KMS DB to Luna HSM.

  1. Go to the Ranger KMS directory.
    Example:
    cd /opt/cloudera/parcels/CDH/lib/ranger-kms
  2. Export the below variables 
    export JAVA_HOME=/usr/java/jdk1.8.0_232-cloudera
    export RANGER_KMS_HOME=/opt/cloudera/parcels/CDH/lib/ranger-kms
  3. Get the active directiory for rangerkms process and copy the conf directory 
    ps -ef | grep rangerkms

    From the output of the above command, get the value of the rangerkms conf directory. 

    export RANGER_KMS_CONF=/var/run/cloudera-scm-agent/process/xxxx-ranger_kms-RANGER_KMS_SERVER/conf
export SQL_CONNECTOR_JAR=/opt/cloudera/cm/lib/postgresql-42.1.4.jre7.jar
  4. Get the active directory for rangerkms process and copy the active directory path. 
    ps -ef | grep rangerkms
  5. Open proc.json and get the value for HADOOP_CREDSTORE_PASSWORD 
    vim /var/run/cloudera-scm-agent/process/xxxx-ranger_kms-RANGER_KMS_SERVER/proc.json
export HADOOP_CREDSTORE_PASSWORD=hadoop_credstore_pwd
  6. Run the following command: 
    [root@os-mv-711-1 ranger-kms]# ${JAVA_HOME}/bin/java -cp "${RANGER_KMS_HOME}/cred/lib/*:${RANGER_KMS_CONF}:${RANGER_KMS_HOME}/ews/webapp/WEB-INF/classes/lib/*:${SQL_CONNECTOR_JAR}:${RANGER_KMS_HOME}/ews/webapp/config:${RANGER_KMS_HOME}/ews/lib/*:${RANGER_KMS_HOME}/ews/webapp/lib/*:${RANGER_KMS_HOME}/ews/webapp/META-INF:${RANGER_KMS_CONF}/*" org.apache.hadoop.crypto.key.DB2HSMMKUtil LunaProvider <partition-name>
  7. Enter the partition password.
  8. Login to the Luna client and validate if the master key is successfully migrated. 
    cd /usr/safenet/lunaclient/bin/
./lunacm
role login -n co
         enter password: passwrd123
par con

    If Master Key RangerKMSKey exists, then the following will be visible:

    lunacm:>par con
                        
                        The 'Crypto Officer' is currently logged in. 
                        Looking for objects accessible to the 'Crypto Officer'.
                        
                        Object List:
                        
                        Label:             RangerKMSKey
                        Handle:            131 
                        Object Type:       Symmentric Key
                        Object UID:        ba8e00002e00000554380800
                        
                        Number of Objects: 1    
                        
                        Command Result: No Error
  9. In Cloudera Manager > Ranger KMS > Configs edit the following properties: 
    ranger.ks.hsm.type = LunaProvider
                        ranger.ks.hsm.enabled = true
                        ranger.ks.hsm.partition.name=<partition-name>
                        ranger.ks.hsm.partition.password=<passwrd123>
    Figure 1. Adding Ranger KMS Configuration for Luna HSM
    Adding Ranger KMS Confiuration for Luna HSM
  10. Restart Ranger KMS from Cloudera Manager.
Ensure Ranger KMS is running with HSM enabled. If you do not require, delete the master key row from the database table “ranger_masterkey”, as the master key has already been migrated to the HSM.