Set up GCP Cloud HSM for Ranger KMS, KTS, and KeyHSM
How to integrate Ranger KMS and KTS with with the Google Cloud Platform (GCP) HSM
This task describes how to set up the Google Cloud Platform (GCP) hardware security
moudule (HSM) service provided by Google. The process inlcudes setting up the GCP
HSM service on a client (host), setting up KeyHSM and using the GCP HSM to validate
You must:
Log in to the Google cloud console using your accout. (Requires Google account
Have Ranger Key Management System, Key Trustee Server and Key HSM installed in
your environment.
Have Java (jdk1.8.0.232) installed.
See related topics for more information about installing Ranger KMS, KTS and
Set Up Google Cloud HSM
Login to Google Cloud console using Cloudera account.
Create the service account by selecting or creating the Project.
Create the key.
Download and save the Key in JSON format.
In GCP Console > Key Management create the key ring.
Figure 1. Creating a key ring in Google Cloud Platform
This example shows a project gcp-eng-sdx-daily,
service account keyhsm, and key ring
Integrate GCP with KeyHSM
In your Key HSM root directory, copy the autthentication key (json file) you
created in the setup process, and provided the appropriate access.
# rpm -ivh keytrustee-keyhsm-*.rpm
cd /usr/share/keytrustee-server-keyhsm/
chown keyhsm:keytrustee <key.filename>.json
Set up the GCP HSM.
keyhsm setup googlecloudhsm
# Google App Credential File<authentication file>.json
# Google HSM Project Id<project ID>
# Google HSM Location Id<location ID>
Validate the Key HSM service.
$ service keyhsm validate
Check Key HSM is stopped :[Successful]
Configuration Available :[Successful]
Port available :[Successful]
Unlimited-Strength JCE :[Successful]
Validate cipher list :[Successful]
HSM availability :[Successful]
All services available: :[Successful]
Start the Key HSM service.
$ service keyhsm start
Configure KTS to trust the Key HSM server.
$ ktadmin keyhsm --server http://$(hostname -f):<port configured in setup> --trust