Initializing Standalone Key Trustee Server
If you are configuring high availability Key Trustee Servers, skip this step and proceed to Cloudera Navigator Key Trustee Server High Availability.
Using Cloudera Manager
Using the Command Line
$ sudo ktadmin init --external-address keytrustee.example.com $ sudo ktadmin db --bootstrap --port 11381 --pg-rootdir /var/lib/keytrustee/db ## For RHEL/CentOS 7, use 'sudo systemctl [stop|start] <service_name>' instead of 'sudo service <service_name> [stop|start]' ## $ sudo service keytrustee-db stop $ sudo service keytrustee-db start $ sudo service keytrusteed start $ sudo chkconfig keytrustee-db on $ sudo chkconfig keytrusteed on
Replace keytrustee.example.com with the fully-qualified domain name (FQDN) of the Key Trustee Server. Cloudera recommends using the default /var/lib/keytrustee/db directory for the PostgreSQL database.
To use a different port for the database, modify the ktadmin init and ktadmin db commands as follows:
$ sudo ktadmin init --external-address keytrustee.example.com --db-connect postgresql://localhost:<port>/keytrustee?host=/tmp $ sudo ktadmin db --bootstrap --port <port> --pg-rootdir /var/lib/keytrustee/db
ARGS="--pg-rootdir /path/to/db"
The ktadmin init command initializes the Key Trustee configuration directory (/var/lib/keytrustee/.keytrustee by default) and generates a self-signed certificate that Key Trustee Server uses for HTTPS communication.
The ktadmin db --bootstrap command initializes the database in the directory specified by the --pg-rootdir parameter.
The sudo service keytrustee-db stop and sudo service keytrustee-db start commands restart the Key Trustee Server database.
The sudo service keytrusteed start command starts Key Trustee Server.
(Optional) Replace Self-Signed Certificate with CA-Signed Certificate
If you have a CA-signed certificate for Key Trustee Server, see Managing Key Trustee Server Certificates for instructions on how to replace the self-signed certificate.