Installing Key Trustee KMS

Key Trustee KMS is a custom Key Management Server (KMS) that uses Cloudera Navigator Key Trustee Server as the underlying keystore, instead of the file-based Java KeyStore (JKS) used by the default Hadoop KMS.

Key Trustee KMS is supported only in Cloudera Manager deployments. You can install the software using parcels or packages, but running Key Trustee KMS outside of Cloudera Manager is not supported.

The KMS (Navigator Key Trustee) service in Cloudera Manager 5.3 is renamed to Key Trustee KMS in Cloudera Manager 5.4.

Installing Key Trustee KMS Using Parcels

  1. Go to Hosts > Parcels.
  2. If you do not see any Key Trustee KMS parcels available, click the Edit Settings button and verify that the Key Trustee parcel repo URL (https://archive.cloudera.com/navigator-keytrustee5/parcels/5.4/) is listed in the Remote Parcel Repository URLs section. See Configuring the Cloudera Manager Server to Use the Parcel URL for more information.
  3. Click Save Changes.
  4. Return to the Parcels page (Hosts > Parcels).
  5. Download, distribute, and activate the Key Trustee KMS parcel. See Managing Parcels for detailed instructions on using parcels to install or upgrade components.

Installing Key Trustee KMS Using Packages

  1. Identify the appropriate repository for your operating system, and copy the repository URL:
    OS Version Repository URL
    RHEL-compatible 6 RHEL 6 Repository
    RHEL-compatible 5 RHEL 5 Repository
    SLES 11 SLES 11 Repository
    Ubuntu Trusty (14.04) Ubuntu Trusty Repository
    Ubuntu Precise (12.04) Ubuntu Precise Repository
    Debian Wheezy (7.0 and 7.1) Debian Wheezy Repository
  2. Add the repository to your system, using the appropriate procedure for your operating system:
    • RHEL-compatible

      Download the repository and copy it to the /etc/yum.repos.d/ directory. Refresh the package index by running sudo yum clean all.

    • SLES
      Add the repository to your system using the following command:
      $ sudo zypper addrepo -f repository_url

      Refresh the package index by running sudo zypper refresh.

    • Ubuntu or Debian

      Copy the content of the appropriate cloudera.list file from the above repository table and append it to the /etc/apt/sources.list.d/cloudera.list file. Create the file if it does not exist. Refresh the package index by running sudo apt-get update.

  3. Add the CDH repository. See To add the CDH repository for instructions. If you want to create an internal CDH repository, see Creating a Local Yum Repository.
  4. Install the keytrustee-keyprovider package, using the appropriate command for your operating system:
    • RHEL-compatible
      $ sudo yum install keytrustee-keyprovider
    • SLES
      $ sudo zypper install keytrustee-keyprovider
    • Ubuntu or Debian
      $ sudo apt-get install keytrustee-keyprovider
  5. Restart the Key Trustee KMS service (Key Trustee KMS service > Actions > Restart).

Post-Installation Configuration

For instructions on installing Key Trustee Server and configuring Key Trustee KMS to use Key Trustee Server, see the following topics: