Upgrading Cloudera Navigator HSM KMS

Continue reading:

Setting Up an Internal Repository
Upgrading HSM KMS Using Parcels
Upgrading 5.x to 6.x Parcels for Thales HSM KMS
Upgrading HSM KMS Using Packages
Upgrading 5.x to 6.x Packages for Thales HSM KMS

Setting Up an Internal Repository

You must create an internal repository to upgrade HSM KMS. For instructions on creating internal repositories (including Cloudera Manager, CDH, and Cloudera Navigator encryption components), see Configuring a Local Parcel Repository if you are using parcels, or Configuring a Local Package Repository if you are using packages.

Upgrading HSM KMS Using Parcels

For customers using the Thales HSM KMS, do not use these upgrade steps. Instead, use Upgrading 5.x to 6.x Parcels for Thales HSM KMS.

To upgrade an HSM KMS using parcels:

Go to Hosts > Parcels.
Click Configuration and add your internal repository to the Remote Parcel Repository URLs section. See Configuring Cloudera Manager to Use an Internal Remote Parcel Repository for more information.
Click Save Changes.
Download, distribute, and activate the KEYTRUSTEE parcel for the version to which you are upgrading. See Parcels for detailed instructions on using parcels to install or upgrade components.
Restart the HSM KMS service (HSM KMS service > Actions > Restart).
Note: After you activate the KEYTRUSTEE parcel, Cloudera Manager displays the Restart button for the service on the Cloudera Manager Home page. You should not explicitly restart the service after upgrading KEYTRUSTEE parcels because it automatically restarts at the appropriate point during the CDH upgrade. If you do restart the service, it will fail until after the CDH has been upgraded.

Upgrading 5.x to 6.x Parcels for Thales HSM KMS

To upgrade 5.x to 6.x parcels for Thales HSM KMS:

Go to Hosts > Parcels.
Click Configuration and add your internal repository to the Remote Parcel Repository URLs section. See Configuring Cloudera Manager to Use an Internal Remote Parcel Repository for more information.
Click Save Changes.
Download, distribute, and activate the KEYTRUSTEE parcel for the version to which you are upgrading. See Parcels for detailed instructions on using parcels to install or upgrade components.

If the Thales HSM KMS already exists, then before upgrading to Cloudera Manager 6.0.0, you must change the privileged Thales HSM KMS port; the recommended port is 11501. The non-privileged port default is 9000, and does not need to be changed.

To change the privileged port, log into the Thales HSM KMS machine(s), and run the following commands:

# sudo /opt/nfast/bin/config-serverstartup --enable-tcp --enable-privileged-tcp --privport=11501
[server_settings] change successful; you must restart the hardserver for this to take effect
# sudo /opt/nfast/sbin/init.d-ncipher restart
 -- Running shutdown script 90ncsnmpd

 -- Running shutdown script 60raserv

...

'ncsnmpd' server now running

Restart the HSM KMS service (HSM KMS service > Actions > Restart).
Note: After you activate the KEYTRUSTEE parcel, Cloudera Manager displays the Restart button for the service on the Cloudera Manager Home page. You should not explicitly restart the service after upgrading KEYTRUSTEE parcels because it automatically restarts at the appropriate point during the CDH upgrade. If you do restart the service, it will fail until after the CDH has been upgraded.

Upgrading HSM KMS Using Packages

For customers using the Thales HSM KMS, do not use these upgrade steps. Instead, use Upgrading 5.x to 6.x Packages for Thales HSM KMS.

To upgrade an HSM KMS using packages:

After Setting Up an Internal Repository, configure the HSM KMS host to use the repository. See Configuring Hosts to Use the Internal Repository for more information.
Add the CDH repository. See Setting Up an Internal Repository for instructions. If you want to create an internal CDH repository, see Configuring a Local Package Repository.
Upgrade the keytrustee-keyprovider package using the appropriate command for your operating system:
- RHEL-compatible
```
sudo yum install keytrustee-keyprovider
```
- SLES
```
sudo zypper install keytrustee-keyprovider
```
- Ubuntu or Debian
```
sudo apt-get install keytrustee-keyprovider
```
Restart the HSM KMS service (HSM KMS service > Actions > Restart).
Note: After you activate the KEYTRUSTEE parcel, Cloudera Manager displays the Restart button for the service on the Cloudera Manager Home page. You should not explicitly restart the service after upgrading KEYTRUSTEE parcels because it automatically restarts at the appropriate point during the CDH upgrade. If you do restart the service, it will fail until after the CDH has been upgraded.

Upgrading 5.x to 6.x Packages for Thales HSM KMS

To upgrade 5.x to 6.x packages for Thales HSM KMS:

After Setting Up an Internal Repository, configure the HSM KMS host to use the repository. See Configuring Hosts to Use the Internal Repository for more information.
Add the CDH repository. See Setting Up an Internal Repository for instructions. If you want to create an internal CDH repository, see Configuring a Local Package Repository.
Upgrade the keytrustee-keyprovider package using the appropriate command for your operating system:
- RHEL-compatible
```
sudo yum install keytrustee-keyprovider
```
- SLES
```
sudo zypper install keytrustee-keyprovider
```
- Ubuntu or Debian
```
sudo apt-get install keytrustee-keyprovider
```

To change the privileged port, log into the Thales HSM KMS machine(s), and run the following commands:

# sudo /opt/nfast/bin/config-serverstartup --enable-tcp --enable-privileged-tcp --privport=11501
[server_settings] change successful; you must restart the hardserver for this to take effect
# sudo /opt/nfast/sbin/init.d-ncipher restart
 -- Running shutdown script 90ncsnmpd

 -- Running shutdown script 60raserv

...

'ncsnmpd' server now running

Restart the HSM KMS service (HSM KMS service > Actions > Restart).
Note: After you activate the KEYTRUSTEE parcel, Cloudera Manager displays the Restart button for the service on the Cloudera Manager Home page. You should not explicitly restart the service after upgrading KEYTRUSTEE parcels because it automatically restarts at the appropriate point during the CDH upgrade. If you do restart the service, it will fail until after the CDH has been upgraded.

Upgrading Key Trustee KMS

Upgrading Cloudera Navigator Encrypt