Upgrading Cloudera Navigator HSM KMS
Setting Up an Internal Repository
You must create an internal repository to upgrade HSM KMS. For instructions on creating internal repositories (including Cloudera Manager, CDH, and Cloudera Navigator encryption components), see Configuring a Local Parcel Repository if you are using parcels, or Configuring a Local Package Repository if you are using packages.
Upgrading HSM KMS Using Parcels
For customers using the Thales HSM KMS, do not use these upgrade steps. Instead, use Upgrading 5.x to 6.x Parcels for Thales HSM KMS.
To upgrade an HSM KMS using parcels:
- Go to .
- Click Configuration and add your internal repository to the Remote Parcel Repository URLs section. See Configuring Cloudera Manager to Use an Internal Remote Parcel Repository for more information.
- Click Save Changes.
- Download, distribute, and activate the KEYTRUSTEE parcel for the version to which you are upgrading. See Parcels for detailed instructions on using parcels to install or upgrade components.
- Restart the HSM KMS service ( ).
Upgrading 5.x to 6.x Parcels for Thales HSM KMS
To upgrade 5.x to 6.x parcels for Thales HSM KMS:
- Go to .
- Click Configuration and add your internal repository to the Remote Parcel Repository URLs section. See Configuring Cloudera Manager to Use an Internal Remote Parcel Repository for more information.
- Click Save Changes.
- Download, distribute, and activate the KEYTRUSTEE parcel for the version to which you are upgrading. See Parcels for detailed instructions on using parcels to install or upgrade components.
- If the Thales HSM KMS already exists, then before upgrading to Cloudera Manager 6.0.0, you must change the privileged Thales HSM KMS port; the recommended port is 11501. The
non-privileged port default is 9000, and does not need to be changed.
To change the privileged port, log into the Thales HSM KMS machine(s), and run the following commands:
# sudo /opt/nfast/bin/config-serverstartup --enable-tcp --enable-privileged-tcp --privport=11501 [server_settings] change successful; you must restart the hardserver for this to take effect # sudo /opt/nfast/sbin/init.d-ncipher restart -- Running shutdown script 90ncsnmpd -- Running shutdown script 60raserv ... 'ncsnmpd' server now running
- Restart the HSM KMS service ( ).
Upgrading HSM KMS Using Packages
For customers using the Thales HSM KMS, do not use these upgrade steps. Instead, use Upgrading 5.x to 6.x Packages for Thales HSM KMS.
To upgrade an HSM KMS using packages:
- After Setting Up an Internal Repository, configure the HSM KMS host to use the repository. See Configuring Hosts to Use the Internal Repository for more information.
- Add the CDH repository. See Setting Up an Internal Repository for instructions. If you want to create an internal CDH repository, see Configuring a Local Package Repository.
- Upgrade the keytrustee-keyprovider package using the appropriate command for your operating system:
- RHEL-compatible
sudo yum install keytrustee-keyprovider
- SLES
sudo zypper install keytrustee-keyprovider
- Ubuntu or Debian
sudo apt-get install keytrustee-keyprovider
- RHEL-compatible
- Restart the HSM KMS service ( ).
Upgrading 5.x to 6.x Packages for Thales HSM KMS
To upgrade 5.x to 6.x packages for Thales HSM KMS:
- After Setting Up an Internal Repository, configure the HSM KMS host to use the repository. See Configuring Hosts to Use the Internal Repository for more information.
- Add the CDH repository. See Setting Up an Internal Repository for instructions. If you want to create an internal CDH repository, see Configuring a Local Package Repository.
- Upgrade the keytrustee-keyprovider package using the appropriate command for your operating system:
- RHEL-compatible
sudo yum install keytrustee-keyprovider
- SLES
sudo zypper install keytrustee-keyprovider
- Ubuntu or Debian
sudo apt-get install keytrustee-keyprovider
- RHEL-compatible
- If the Thales HSM KMS already exists, then before upgrading to Cloudera Manager 6.0.0, you must change the privileged Thales HSM KMS port; the recommended port is 11501. The
non-privileged port default is 9000, and does not need to be changed.
To change the privileged port, log into the Thales HSM KMS machine(s), and run the following commands:
# sudo /opt/nfast/bin/config-serverstartup --enable-tcp --enable-privileged-tcp --privport=11501 [server_settings] change successful; you must restart the hardserver for this to take effect # sudo /opt/nfast/sbin/init.d-ncipher restart -- Running shutdown script 90ncsnmpd -- Running shutdown script 60raserv ... 'ncsnmpd' server now running
- Restart the HSM KMS service ( ).