HSM-Specific Setup for Cloudera Navigator Key HSM

SafeNet KeySecure

After entering the Key HSM listener IP address and port, the HSM setup for SafeNet KeySecure prompts for login credentials, the IP address of the KeySecure HSM, and the port number:

-- Ingrian HSM Credential Configuration --
Please enter HSM login USERNAME: keyhsm
Please enter HSM login PASSWORD: ******

Please enter HSM IP Address or Hostname: 172.19.1.135
Please enter HSM Port number: 9020

If the connection is successful, the following message is displayed:

Valid address:                                    :[ Successful ]

The KeySecure setup utility then prompts you whether to use SSL:

Use SSL? [Y/n] Y

If you choose to use SSL, Key HSM attempts to resolve the server certificate, and prompts you to trust the certificate:

  [0]         Version: 3
         SerialNumber: 0
             IssuerDN: C=US,ST=TX,L=Austin,O=ACME,OU=Dev,
CN=172.19.1.135,E=webadmin@example.com
           Start Date: Thu Jan 29 09:55:57 EST 2015
           Final Date: Sat Jan 30 09:55:57 EST 2016
            SubjectDN: C=US,ST=TX,L=Austin,O=ACME,OU=Dev,
CN=172.19.1.135,E=webadmin@example.com
           Public Key: RSA Public Key
            modulus: abe4a8dcef92e145984309bd466b33b35562c7f8751d1c406b1140e0584890272090424eb347647ba04b34757cacc79652791427d0d8580a652c106bd26945384b30b8107f8e15d2deba8a4e868bf17bb02073837cffef0ef16d5b5da5cfb4d3625c0affbda6320daf7c6b6d8adfcb563960fcd1207c059300feb651340879dd2d929a5b986517531be93f113c8db780c92ddf30f5c8bf2b0bea60359b67be306c520358cc0c3fc365500d8abeeac99e53cc2b369b2031174e72e6fca1f9a4639e09240ed6d4a73073885868e814839b09d56aa98a5a1e230b46cdb4818321f546ac15567c596833be47ef156a73e537fd09605482790714f4a276e5f126f935
    public exponent: 10001

  Signature Algorithm: SHA256WithRSAEncryption
            Signature: 235168c68567b27a30b14ab443388039ff12357f
                       99ba439c6214e4529120d6ccb4a9b95ab25f81b4
                       7deb9354608df45525184e75e80eb0948eae3e15
                       c25c1d58c4f86cb9616dc5c68dfe35f718a0b6b5
                       56f520317eb5b96b30cd9d027a0e42f60de6dd24
                       5598d1fcea262b405266f484143a74274922884e
                       362192c4f6417643da2df6dd1a538d6d5921e78e
                       20a14e29ca1bb82b57c02000fa4907bd9f3c890a
                       bdae380c0b4dc68710deeaef41576c0f767879a7
                       90f30a4b64a6afb3a1ace0f3ced17ae142ee6f18
                       5eff64e8b710606b28563dd99e8367a0d3cbab33
                       2e59c03cadce3a5f4e0aaa9d9165e96d062018f3
                       6a7e8e3075c40a95d61ebc8db43d77e7
       Extensions:
                       critical(false) BasicConstraints: isCa(true)
                       critical(false) NetscapeCertType: 0xc0

Trust this server? [y/N] Y

Trusted server:                                   :[ Successful ]

Thales HSM

By default, the Thales HSM client process listens on ports 9000 and 9001. The Cloudera Manager agent also listens on port 9000. To prevent a port conflict, you must change the Thales client ports. Cloudera recommends using port 11500 and 11501.

To change the Thales client ports, run the following commands:

$ sudo /opt/nfast/bin/config-serverstartup --enable-tcp --enable-privileged-tcp --port=11500 --privport=11501
$ sudo /opt/nfast/sbin/init.d-ncipher restart

To configure Key HSM to use the modified port, edit the /usr/share/keytrustee-server-keyhsm/start.sh file and add the -DNFAST_SERVER_PORT=11500 Java system property. For example:

java -classpath "*:/usr/safenet/lunaclient/jsp/lib/*:/opt/nfast/java/classes/*" -Djava.library.path=/usr/safenet/lunaclient/jsp/lib/ -DNFAST_SERVER_PORT=11500 com.cloudera.app.run.Program $@

Before completing the Thales HSM setup, run the nfkminfo command to verify that the Thales HSM is properly configured:

$ sudo /opt/nfast/bin/nfkminfo
  World generation  2
  state       0x17270000 Initialised Usable Recovery !PINRecovery !ExistingClient
              RTC  NVRAM FTO !AlwaysUseStrongPrimes SEEDebug

If state reports !Usable instead of Usable, configure the Thales HSM before continuing. See the Thales product documentation for instructions.

After entering the Key HSM listener IP address and port, the HSM setup for Thales prompts for the OCS card password:

Please enter the OCS Card Password (input suppressed):

Configuration saved in 'application.properties' file
Configuration stored in: 'application.properties'. (Note: You can also use service keyHsm settings to quickly view your current configuration)

Luna HSM

Before completing the Luna HSM setup, run the vtl verify command (usually located at /usr/safenet/lunaclient/bin/vtl) to verify that the Luna HSM is properly configured.

After entering the Key HSM listener IP address and port, the HSM setup for Luna prompts for the slot number and password:

-- Configuring SafeNet Luna HSM --
Please enter SafeNetHSM Slot Number: 1
Please enter SafeNet HSM password (input suppressed):
Configuration stored in: 'application.properties'. (Note: You can also use service keyHsm settings to quickly view your current configuration)
Configuration saved in 'application.properties' file

See the Luna product documentation for instructions on configuring your Luna HSM if you do not know what values to enter here.

Initializing Navigator Key HSM

Validating Key HSM Settings