Initializing Navigator Key HSM

Before initializing Navigator Key HSM, verify that the HSM is properly configured and accessible from the Key HSM host, and that the HSM client libraries are installed on the Key HSM host:
  • SafeNet Luna

    Install the SafeNet Luna client. No additional configuration is needed.

  • SafeNet KeySecure

    Extract the KeySecure client tarball in the Key HSM library directory (/usr/share/keytrustee-server-keyhsm/).

  • Thales

    Install the Thales client service. Copy nCipherKM.jar, jcetools.jar, and rsaprivenc.jar from the installation media (usually located in opt/nfast/java/classes relative to the installation media mount point) to the Key HSM library directory (/usr/share/keytrustee-server-keyhsm/).

See your HSM product documentation for more information on installing and configuring your HSM and client libraries.
To initialize Key HSM, use the service keyhsm setup command in conjunction with the name of the target HSM distribution:
$ sudo service keyhsm setup [keysecure|thales|luna]

For all HSM distributions, this first prompts for the IP address and port number that Key HSM listens on.

Cloudera recommends using the loopback address ( for the listener IP address and 9090 as the port number.

If the setup utility successfully validates the listener IP address and port, you are prompted for additional information specific to your HSM. For HSM-specific instructions, continue to the HSM-Specific Setup for Cloudera Navigator Key HSM section for your HSM.

After initial setup, configuration is stored in the /usr/share/keytrustee-server-keyhsm/ file, which contains human-readable configuration information for the Navigator Key HSM server.