Configuring the Key HSM
How to configure the Key HSM to connect Cipher Trust.
After the Thales team successfully migrates the keys from Key Secure HSM to Cipher Trust Manager, you must configure the Key HSM to connect Cipher Trust. You must perform the following steps on both the Active and Passive KTS nodes.
The Thales team must have successfully migrated the keys from Key Secure HSM to Cipher Trust Manager.
-
Stop the
Key HSM
service.
$ service keyhsm stop
- Back up the existing application.properties file.
-
If
SSL is enabled on CipherTrust Manager,
run the
following command to....:
$ echo "thales_machine_ip nae.keysecure.local" >> /etc/hosts
-
Set
up
the
Key HSM service.
$ keyhsm setup keysecure
-- Configuring keyHsm General Setup -- Cloudera Recommends to use 127.0.0.1 as the listener port for Key HSM Please enter Key HSM SSL listener IP address: [127.0.0.1] Will attempt to setup listener on 127.0.0.1 Please enter Key HSM SSL listener PORT number: 9090 validate Port: :[ Successful ] -- Ingrian HSM Credential Configuration -- Please enter HSM login USERNAME: testuser (user created on Cipher Trust Manager) Please enter HSM login PASSWORD: Please enter HSM IP Address or Hostname: ec2-3-144-233-194.us-east-2.compute.amazonaws.com Please enter HSM Port number: 9000 Valid address: :[ Successful ] Use SSL? [Y/n] (As per the configuration done on Cipher Trust Manager) Configuration saved in 'application.properties' file Configuration stored in: 'application.properties'. (Note: You can also use keyhsm settings to quickly view your current configuration)
-
Validate the Key HSM.
$ service keyhsm validate
Check Key HSM is stopped :[ Successful ] Configuration Available :[ Successful ] Port 127.0.0.1:9090 available :[ Successful ] Unlimited-Strength JCE :[ Successful ] Validate cipher list :[ Successful ] HSM availability :[ Successful ] All services available: :[ Successful ]
-
Start the Key HSM service.
$ service keyhsm start
Starting KeyHSM, please wait...
KeyHSM started successfully
-
Configure Key HSM to trust
KTS by
providing the full path to the file.
$ keyhsm trust /var/lib/keytrustee/.keytrustee/.ssl/ssl-cert-keytrustee.pem
-
Configure KTS to trust the Key HSM server.
$ ktadmin keyhsm --server http://127.0.0.1:9090 --trust
- Restart KTS Server from Cloudera Manager.
- Restart Ranger KMS KTS service from Cloudera Manager.