Installing Navigator HSM KMS Backed by Thales HSM

HSM KMS backed by Thales HSM is a custom Key Management Server (KMS) that uses a supported Thales HSM as the underlying keystore, instead of the file-based Java KeyStore (JKS) used by the default Hadoop KMS.

Client Prerequisites

Navigator HSM KMS backed by Thales HSM is supported on Thales HSMs only. The Thales HSM client must be installed first.

The following Thales nShield Connect software and firmware are required:

  • Server version: 3.67.11cam4
  • Firmware: 2.65.2
  • Security World Version: 12.30
Before performing the Thales HSM setup, run the nfkminfo command to verify that Thales HSM is configured correctly.
$ sudo /opt/nfast/bin/nfkminfo
          World generation 2
          state      0x1727 Initialised Usable Recovery !PINRecovery !ExistingClient
                     RTC NVRAM FTO !AlwaysUseStrongPrimes SEEDebug

If state reports !Usable instead of Usable, then configure the Thales HSM before continuing. See the Thales product documentation for details about how to configure the Thales client.

Run the following command to manually add the KMS user to the nfast group:

usermod -a -G nfast kms

If you do not manually add the KMS user, installation can fail.

Setting Up an Internal Repository

You must create an internal repository to install Navigator HSM KMS backed by Thales HSM. For instructions on creating internal repositories (including Cloudera Manager, CDH, and Cloudera Navigator encryption components), see Creating and Using a Parcel Repository for Cloudera Manager if you are using parcels, or Creating and Using a Package Repository for Cloudera Manager if you are using packages.

Installing Navigator HSM KMS Backed by Thales HSM Using Parcels

  1. Go to Hosts > Parcels.
  2. Click Configuration and add your internal repository to the Remote Parcel Repository URLs section. See Configuring the Cloudera Manager Server to Use the Parcel URL for Hosted Repositories for more information.
  3. Download, distribute, and activate the Navigator HSM KMS parcel. See Managing Parcels for detailed instructions on using parcels to install or upgrade components.

Installing Navigator HSM KMS Backed by Thales HSM Using Packages

  1. After Setting Up an Internal Repository, configure the Navigator KMS Services backed by Thales HSM host to use the repository. See Modifying Clients to Find the Repository for more information.
  2. Because the keytrustee-keyprovider package depends on the hadoop-kms package, you must add the CDH repository. See To add the CDH repository for instructions. If you want to create an internal CDH repository, see Creating a Local Yum Repository.
  3. Install the keytrustee-keyprovider package using the appropriate command for your operating system:
    • RHEL-compatible
      $ sudo yum install keytrustee-keyprovider

Post-Installation Configuration

For instructions on configuring HSM KMS, see Enabling HDFS Encryption Using the Wizard.