Installing Navigator HSM KMS Backed by Thales HSM
Client Prerequisites
Navigator HSM KMS backed by Thales HSM is supported on Thales HSMs only. The Thales HSM client must be installed first.
The following Thales nShield Connect software and firmware are required:
- Server version: 3.67.11cam4
- Firmware: 2.65.2
- Security World Version: 12.30
$ sudo /opt/nfast/bin/nfkminfo World generation 2 state 0x1727 Initialised Usable Recovery !PINRecovery !ExistingClient RTC NVRAM FTO !AlwaysUseStrongPrimes SEEDebug
If state reports !Usable instead of Usable, then configure the Thales HSM before continuing. See the Thales product documentation for details about how to configure the Thales client.
Run the following command to manually add the KMS user to the nfast group:
usermod -a -G nfast kms
If you do not manually add the KMS user, installation can fail.
Setting Up an Internal Repository
You must create an internal repository to install Navigator HSM KMS backed by Thales HSM. For instructions on creating internal repositories (including Cloudera Manager, CDH, and Cloudera Navigator encryption components), see Creating and Using a Parcel Repository for Cloudera Manager if you are using parcels, or Creating and Using a Package Repository for Cloudera Manager if you are using packages.
Installing Navigator HSM KMS Backed by Thales HSM Using Parcels
- Go to .
- Click Configuration and add your internal repository to the Remote Parcel Repository URLs section. See Configuring the Cloudera Manager Server to Use the Parcel URL for Hosted Repositories for more information.
- Download, distribute, and activate the Navigator HSM KMS parcel. See Managing Parcels for detailed instructions on using parcels to install or upgrade components.
Installing Navigator HSM KMS Backed by Thales HSM Using Packages
- After Setting Up an Internal Repository, configure the Navigator KMS Services backed by Thales HSM host to use the repository. See Modifying Clients to Find the Repository for more information.
- Because the keytrustee-keyprovider package depends on the hadoop-kms package, you must add the CDH repository. See To add the CDH repository for instructions. If you want to create an internal CDH repository, see Creating a Local Yum Repository.
- Install the keytrustee-keyprovider package using the appropriate command for your operating system:
- RHEL-compatible
$ sudo yum install keytrustee-keyprovider
- RHEL-compatible
Post-Installation Configuration
For instructions on configuring HSM KMS, see Enabling HDFS Encryption Using the Wizard.