Known Issues and Workarounds in Cloudera Navigator HSM KMS
HSM KMS get_keys returns wrong number of keys even though creation of one key failed
If the HSM KMS is left running while its local HSM KMS Metastore is stopped, then commands that attempt to write to the metastore (such as: create key, roll key, and delete key) will fail (expected behavior). However, commands that retrieve key metadata and/or key material (such as key list) may appear to succeed, but can return incorrect results (for example, an empty key list when there are extant keys) due to cache invalidation without the ability to refresh the cache from the metastore.
Affected Versions: 5.12.0, 5.13.0, 5.14.0, 5.15.0, 5.16.0
Cloudera Bug: KT-5060
Workaround: None
"Exception in generateEncryptedKeys" error in HSM KMS log file after key migration
During the migration of encryption zone keys from a KT KMS to an HSM KMS, you may see errors related to the generateEncryptedKeys call (this operation populates the EDEK cache) on the HSM KMS node that is not running the migration. These errors will not prevent the migration operation from completing and will not cause ongoing problems after migration completes.
Affected Version: 5.14.0, 5.15.0, 5.16.0
Cloudera Bug: KT-5672
Workaround: None
KT KMS migration to HSM KMS fails if a key is not found on HSM
When using Key Trustee KMS with Key Trustee Server and Key HSM (backed by an HSM device), if a key version is deleted on the HSM device directly without also deleting and purging that key version on the Key Trustee KMS, then attempts to migrate from the KT KMS to the HSM KMS will fail.
Affected Version: 5.14.0, 5.15.0, 5.16.0
Cloudera Bug: KT-5671
Workaround: None
Timeout error during encryption zone key creation
There are situations where the key cache is synchronously populated to capacity during the create encryption zone operation. The expected behavior is that the key cache is synchronously populated only to the low watermark level (the rest of the keys should be created asynchronously).
Affected Version: 5.13.0, 5.14.0, 5.15.0, 5.16.0
Cloudera Bug: KT-5296
- hadoop.security.kms.encrypted.key.cache.low.watermark .05
- hadoop.security.kms.encrypted.key.cache.size 30
- hadoop.security.kms.client.encrypted.key.cache.size 30
- hadoop.security.kms.client.encrypted.key.cache.low-watermark .05
Key description is not synchronized with the second metastore
If the description option is specified as the argument in a Hadoop key create command, then the description information is stored only on the KMS instance that responds to the create request. The description metadata is not synchronized to the other KMS instances in the role group. This does not affect normal key operations.
Affected Version(s): 5.12.0
Fixed Version: 5.12.1
Cloudera Bug: KT-5042
Workaround: Use the -provider argument on the key list operation to target key queries to a specific KMS instance.
HSM KMS Luna may need to be restarted if inactive for extended period
If Hadoop key operations return com.safenetinc.luna.exception.LunaCryptokiException after the KMS has been running without activity for an extended period time, the Luna session may have been dropped.
Affected Version(s): 5.12.0, 5.13.0, 5.14.0, 5.15.0, 5.16.0
Cloudera Bug: KT-5018
Workaround: Restart the KMS service.
Creating multiple instances of HSM KMS on the same host and port causes an error upon delete
Creating a KMS role instance on a host that previously hosted a KMS role instance in the same role group that had its data directories deleted results in errors when attempting to run Hadoop key delete operations.
Affected Version(s): 5.12.0, 5.13.0, 5.14.0, 5.15.0, 5.16.0
Cloudera Bug: KT-4992
Workaround: This workaround requires the assistance of Cloudera support; request assistance with issue KT-4992
Incorrect status for "Restart stale services" step in HDFS encryption wizard post-service installation
There are times when completion of the HDFS Encryption Wizard does not show an active "Restart stale services and redeploy client configuration" link.
Affected Version(s): 5.12.0, 5.13.0, 5.14.0, 5.15.0, 5.16.0
Cloudera Bug: KT-4987
Workaround: Refresh the page and the link should become active.
The encryption wizard continues to fail if there is a failure during initial configuration run
The encryption wizard continues to fail if there was a failure during the initial run configuring HSM KMS.
Affected Version(s): 5.12.0, 5.13.0, 5.14.0, 5.15.0, 5.16.0
Cloudera Bug: KT-4909
Workaround: Open Cloudera Manager in another browser tab, and manually stop the installed KMS by clicking the arrow next to the KMS and selecting Stop. Then retry the installation in the new tab after correcting the cause of the install failure.
Before installing the Thales backed HSM KMS, you must add the KMS user to the nfast group
After installation of the Thales HSM client, and before installing Navigator HSM KMS backed by Thales HSM, you must add the KMS user to the nfast group..
Affected Version(s): 5.12.0, 5.13.0, 5.14.0, 5.15.0, 5.16.0
Cloudera Bug: KT-4618
Workaround: Run the following command to manually add the KMS user to the nfast group:usermod -a -G nfast kms