Installing Navigator HSM KMS Backed by Thales HSM
Client Prerequisites
Navigator HSM KMS backed by Thales HSM is supported on Thales HSMs only. The Thales HSM client must be installed first.
- Server version: 3.67.11cam4
- Firmware: 2.65.2
- Security World Version: 12.30
$ sudo /opt/nfast/bin/nfkminfo World generation 2 state 0x1727 Initialised Usable Recovery !PINRecovery !ExistingClient RTC NVRAM FTO !AlwaysUseStrongPrimes SEEDebug
If state reports !Usable instead of Usable, then configure the Thales HSM before continuing. See the Thales product documentation for details about how to configure the Thales client.
Run the following command to manually add the KMS user to the nfast group:
usermod -a -G nfast kms
If you do not manually add the KMS user, installation can fail.
Setting Up an Internal Repository
You must create an internal repository to install Navigator HSM KMS backed by Thales HSM. For instructions on creating internal repositories (including Cloudera Manager, CDH, and Cloudera Navigator encryption components), see Configuring a Local Parcel Repository if you are using parcels, or Configuring a Local Package Repository if you are using packages.
Installing Navigator HSM KMS Backed by Thales HSM Using Parcels
- Go to .
- Click Configuration and add your internal repository to the Remote Parcel Repository URLs section. See Configuring Cloudera Manager to Use an Internal Remote Parcel Repository for more information.
- Download, distribute, and activate the Navigator HSM KMS parcel. See Managing Parcels for detailed instructions on using parcels to install or upgrade components.
- If you are newly installing Thales HSM KMS to a 6.0.0 system, then you must set the port to a non-default value before adding the HSM KMS backed by Thales service in Cloudera Manager.
The recommended port is 11501. The non-privileged port default is 9000 (which you do not have to change). To change the privileged port, log into the Thales HSM KMS machine(s), and run the following
commands:
# sudo /opt/nfast/bin/config-serverstartup --enable-tcp --enable-privileged-tcp --privport=11501 [server_settings] change successful; you must restart the hardserver for this to take effect # sudo /opt/nfast/sbin/init.d-ncipher restart -- Running shutdown script 90ncsnmpd -- Running shutdown script 60raserv ... 'ncsnmpd' server now running
Installing Navigator HSM KMS Backed by Thales HSM Using Packages
- After Setting Up an Internal Repository, configure the Navigator KMS Services backed by Thales HSM host to use the repository. See Configuring Hosts to Use the Internal Repository for more information.
- Because the keytrustee-keyprovider package depends on the hadoop-kms package, you must add the CDH repository. See Configuring a Local Package Repository for instructions.
- Install the keytrustee-keyprovider package using the appropriate command for your operating system:
- RHEL-compatible
sudo yum install keytrustee-keyprovider
- RHEL-compatible
- If you are newly installing Thales HSM KMS to a 6.0.0 system, then you must set the port to a non-default value before adding the HSM KMS backed by Thales service in Cloudera Manager.
The recommended port is 11501. The non-privileged port default is 9000 (which you do not have to change). To change the privileged port, log into the Thales HSM KMS machine(s), and run the following
commands:
# sudo /opt/nfast/bin/config-serverstartup --enable-tcp --enable-privileged-tcp --privport=11501 [server_settings] change successful; you must restart the hardserver for this to take effect # sudo /opt/nfast/sbin/init.d-ncipher restart -- Running shutdown script 90ncsnmpd -- Running shutdown script 60raserv ... 'ncsnmpd' server now running
Post-Installation Configuration
For instructions on configuring HSM KMS, see Enabling HDFS Encryption Using the Wizard.