Assumptions and Requirements
There are various assumptions and requirements that apply during the migration of a Key Trustee KMS server role instance to a new host.
- Complete the steps one node at a time (migrate to the first new node, verify, then repeat the steps to migrate to second new node, verify, and so on).
- The sequence of restarts indicated throughout the steps are critical to successfully completing the migration without data loss. Do not skip any of the steps.
- As required for any KMS service that is configured for HA, Zookeeper must be deployed as
a service (
trueby default). - Review and examine TLS and Kerberos configuration requirements: the new KMS nodes must be ready with a Java Keystore and Truststore that present the correct host certificates while also trusting the Key Trustee Server. If the custom Kerberos keytab retrieval script is in use for Kerberos integration, it is important to have those keytabs ready and ingested before proceeding.
- For this use case/procedure, assume that the existing KMS proxy host instances are
named:
ktkms01.example.comktkms02.example.com
- Assume that the host destination instances are:
ktkms03.example.comktkms04.example.com
