Upgrading Cloudera Navigator Key Trustee Server 7.1.x

How to upgrade Cloudera Navigator Key Trustee Server 7.1.x.

You must create an internal repository to install or upgrade the Cloudera Navigator data encryption components. For instructions on creating internal repositories, see the following topic:

From CDP Private Cloud Base 7.1.6, the KEYTRUSTEE_SERVER parcel is available in the same location in which the Cloudera runtime parcel is placed. If you have configured the parcel repository for CDP Private Cloud Base upgrade, the KEYTRUSTEE_SERVER parcel is displayed automatically.

Upgrading Cloudera Navigator Key Trustee Server 7.1.x Using Cloudera Manager

Minimum Required Role: Cluster Administrator (also provided by Full Administrator)

  1. Add your internal parcel repository to Cloudera Manager following the instructions in Configuring Cloudera Manager Server Parcel Settings.
  2. Download, distribute, and activate the latest Key Trustee Server parcel on the cluster containing the Key Trustee Server host, following the instructions in Managing Parcels.
If you have upgraded from a Key Trustee version lesser than 7.1.4 to a version greater than 7.1.4, then perform these steps on both the Active and Passive KTS nodes. This is to mitigate the SSL handshake issue caused due to absence of Subject Alternative name in KTS after upgrading to version > 7.1.4.
  1. Stop the KTS service from CM.
  2. Navigate to the location /var/lib/keytrustee/.keytrustee/.ssl/
     cd /var/lib/keytrustee/.keytrustee/.ssl/  
  3. Backup the cert files ssl-cert-keytrustee-pk.pem and ssl-cert-keytrustee.pem
    mv ssl-cert-keytrustee-pk.pem ssl-cert-keytrustee-pk_backup.pem 
    mv ssl-cert-keytrustee.pem ssl-cert-keytrustee_backup.pem 
  4. Re generate the cert file using the command:
    ktadmin init 
    1. Configure the keyhsm to trust the new cert file.
      keyhsm trust /var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee.pem
    2. For testing and validation execute the following command:
      curl -vk https://$(hostname-f):11371/test_hsm 
  5. Start the KTS service from CM.