Issues Fixed in Cloudera Navigator 6.1.0 Encryption

See below for issues fixed in the encryption components of Cloudera Navigator 6.1.0:

Issues Fixed in Navigator Key Trustee KMS 6.1.0

New Key Trustee KMS failed after being added to an environment that previously had a single Key Trustee KMS instance

When adding a new Navigator Key Trustee KMS instance to an environment that previously only had a single Key Trustee KMS instance, the new Key Trustee KMS periodically failed to start and returned the following message:

"Unable to verify private key match between KMS hosts. If the system has been recently upgraded, DO NOT TAKE FURTHER ACTION and contact your support representative as soon as possible. If this is a new installation, verify private key files have been synced between all KMS hosts. Aborting to prevent data inconsistency."

Cloudera Issue: KT-6231

CDH upgrade failure

When upgrading to Key Trustee KMS 6.0.0 from Key Trustee KMS 5.14.0 or lower, and performing a rolling restart (instead of a full restart), the first Key Trustee KMS instance to restart may fail to come up and present the error: "Unable to verify private key match between KMS hosts. If the system has been recently upgraded, DO NOT TAKE FURTHER ACTION and contact your support representative as soon as possible. If this is a new installation, verify private key files have been synched between all KMS hosts. Aborting to prevent data inconsistency."

Cloudera Bug: KT-6547

Issues Fixed in Navigator Key HSM 6.1.0

Key HSM Luna setup not showing the correct login status

When running the keyhsm setup luna command, you are prompted for the Luna HSM slot number and login password. Key HSM then attempts to log into the Luna HSM to verify these settings are correct. In some circumstances, the setup script reports that the login was successful, even if it failed.

Cloudera Issue: KT-6623

Too many keys on Luna HSM causes Key HSM startup to fail

If there are too many keys on the Luna HSM, Key HSM startup will fail with a Java core dump because it times out querying the keys.

Cloudera Issue: KT-6129

Issues Fixed in Navigator Encrypt 6.1.0

Navigator Encrypt-related packages should be downgraded with the Navigator Encrypt package

The navencrypt downgrade command only downgraded the navencrypt package. It did not downgrade the associated navencrypt-kernel-module and libkeytrustee packages.

Cloudera Issue: KT-6381

When a mount point is added Navigator Encrypt updates configuration files before the action completes

The navencrypt-prepare command sometimes performed updates to the /etc/navencrypt/control and /etc/navencrypt/ztab files before the command completed. In such cases, if there was an error with the mounting or unmounting of the navencrypt mount point, then the updated control and ztab files did not accurately reflect which mount points existed.

Cloudera Issue: KT-6383

Navigator Encrypt will not build on RHEL kernel 3.10.0-862.14.4

The Navigator Encrypt kernel module will not build on RHEL kernel 3.10.0-862.14.4. This impacts new installations, and existing installations that are upgrading to kernel 3.10.0-862.14.4. This issue prevents the navencrypt-mount service from running and Navigator Encrypt mount points from being accessible.

Cloudera Issue: KT-6677

Upgrade from Navigator Encrypt 3.x to 6.0.0 does not trigger a navencryptfs recompile

After upgrading from Navigator Encrypt 3.x to Navigator Encrypt 6.0.0, the kernel module may not be rebuilt, even if the upgrade and installation commands indicate that it was built successfully.

Cloudera Bug: KT-6382