Installing Key Trustee KMS

Key Trustee KMS is a custom Key Management Server (KMS) that uses Cloudera Navigator Key Trustee Server as the underlying keystore, instead of the file-based Java KeyStore (JKS) used by the default Hadoop KMS.

Key Trustee KMS is supported only in Cloudera Manager deployments. You can install the software using parcels or packages, but running Key Trustee KMS outside of Cloudera Manager is not supported.

The KMS (Navigator Key Trustee) service in Cloudera Manager 5.3 is renamed to Key Trustee KMS in Cloudera Manager 5.4.

Setting Up an Internal Repository

You must create an internal repository to install Key Trustee KMS. For instructions on creating internal repositories (including Cloudera Manager, CDH, and Cloudera Navigator encryption components), see Using an Internal Parcel Repository if you are using parcels, or Using an Internal Package Repository if you are using packages.

Installing Key Trustee KMS Using Parcels

  1. Go to Hosts > Parcels.
  2. Click Configuration and add your internal repository to the Remote Parcel Repository URLs section. See Configuring the Cloudera Manager Server to Use the Parcel URL for Hosted Repositories for more information.
  3. Download, distribute, and activate the Key Trustee KMS parcel. See Managing Parcels for detailed instructions on using parcels to install or upgrade components.

Installing Key Trustee KMS Using Packages

  1. After Setting Up an Internal Repository, configure the Key Trustee KMS host to use the repository. See Modifying Clients to Use the Internal Repository for more information.
  2. Because the keytrustee-keyprovider package depends on the hadoop-kms package, you must add the CDH repository. See Step 1: Configure a Repository for instructions.
  3. Install the keytrustee-keyprovider package using the appropriate command for your operating system:
    • RHEL-compatible
      $ sudo yum install keytrustee-keyprovider
    • SLES
      $ sudo zypper install keytrustee-keyprovider
    • Ubuntu or Debian
      $ sudo apt-get install keytrustee-keyprovider

Post-Installation Configuration

For instructions on installing Key Trustee Server and configuring Key Trustee KMS to use Key Trustee Server, see the following topics: