KMS Installation and Upgrade
Hadoop Key Management Server (KMS) is a cryptographic key management server based on the Hadoop KeyProvider API. It provides a KeyProvider implementation client that interacts with the KMS using the HTTP REST API. Both the KMS and its client support HTTP SPNEGO Kerberos authentication and TLS/SSL-secured communication. The KMS is a Java-based web application that runs using a preconfigured Tomcat server bundled with the Hadoop distribution.
- Java KeyStore KMS - The default Hadoop KMS included in CDH that uses a file-based Java KeyStore (JKS) for its backing keystore. For parcel-based installations, no additional action is required to install or upgrade the KMS. For package-based installations, you must install additional packages. See Installing and Upgrading Java KeyStore KMS for details. Cloudera strongly recommends not using Java Keystore KMS in production environments.
- Key Trustee KMS - A custom KMS that uses Cloudera Navigator Key Trustee Server for its backing keystore instead of the file-based Java KeyStore (JKS) used by the default Hadoop KMS. Cloudera strongly recommends using Key Trustee KMS in production environments to improve the security, durability, and scalability of your cryptographic key management. See Cloudera Navigator Data Encryption Overview and Data at Rest Encryption Reference Architecture for more information about the architecture and components involved in encrypting data at rest for production environments. See the following for instructions on installing and upgrading Key Trustee KMS:
Installing and Upgrading Java KeyStore KMS
To install or upgrade Java KeyStore KMS on a RHEL-compatible system:
$ sudo yum install hadoop-kms hadoop-kms-server
To install or upgrade Java KeyStore KMS on a SLES system:
$ sudo zypper install hadoop-kms hadoop-kms-server
To install or upgrade Java KeyStore KMS on an Ubuntu or Debian system:
$ sudo apt-get install hadoop-kms hadoop-kms-server
Troubleshooting: upgrading hadoop-kms from 5.2.x and 5.3.x releases on SLES
The problem described in this section affects SLES upgrades from 5.2.x releases earlier than 5.2.4, and from 5.3.x releases earlier than 5.3.2.
Problem
Installing: hadoop-kms-2.5.0+cdh5.3.2+801-1.cdh5.3.2.p0.224.sles11 [error] 12:54:19 Installation of hadoop-kms-2.5.0+cdh5.3.2+801-1.cdh5.3.2.p0.224.sles11 failed: 12:54:19 (with --nodeps --force) Error: Subprocess failed. Error: RPM failed: warning: /var/cache/zypp/packages/cdh/RPMS/x86_64/hadoop-kms-2.5.0+cdh5.3.2+801-1.cdh5.3.2.p0.224.sles11.x86_64.rpm: Header V4 DSA signature: NOKEY, key ID e8f86acd 12:54:19 error: %postun(hadoop-kms-2.5.0+cdh5.3.1+791-1.cdh5.3.1.p0.17.sles11.x86_64) scriptlet failed, exit status 1 12:54:19
What to Do
- Abort, or ignore the error (it doesn't matter which):
Abort, retry, ignore? [a/r/i] (a): i
- Perform cleanup.
- # rpm -qa hadoop-kms
You will see two versions of hadoop-kms; for example:
hadoop-kms-2.5.0+cdh5.3.1+791-1.cdh5.3.1.p0.17.sles11 hadoop-kms-2.5.0+cdh5.3.2+801-1.cdh5.3.2.p0.224.sles11
- Remove the older version, in this example hadoop-kms-2.5.0+cdh5.3.1+791-1.cdh5.3.1.p0.17.sles11:
# rpm -e --noscripts hadoop-kms-2.5.0+cdh5.3.1+791-1.cdh5.3.1.p0.17.sles11
- # rpm -qa hadoop-kms
- Verify that the older version of the package has been removed:
# rpm -qa hadoop-kms
Now you should see only the newer package:hadoop-kms-2.5.0+cdh5.3.2+801-1.cdh5.3.2.p0.224.sles11