Initializing Standalone Key Trustee Server

If you are configuring high availability Key Trustee Servers, skip this step and proceed to Cloudera Navigator Key Trustee Server High Availability.

Using Cloudera Manager

Add the Key Trustee Server service to your cluster, following the instructions in Adding a Service. When customizing role assignments, assign only the Active Key Trustee Server and Active Database roles.

Using the Command Line

To initialize a standalone Key Trustee Server, run the following commands on the Key Trustee Server:
$ sudo ktadmin init --external-address keytrustee.example.com
$ sudo ktadmin db --bootstrap --port 11381 --pg-rootdir /var/lib/keytrustee/db
## For RHEL/CentOS 7, use 'sudo systemctl [stop|start] <service_name>' instead of 'sudo service <service_name> [stop|start]' ##
$ sudo service keytrustee-db stop
$ sudo service keytrustee-db start
$ sudo service keytrusteed start
$ sudo chkconfig keytrustee-db on
$ sudo chkconfig keytrusteed on

Replace keytrustee.example.com with the fully-qualified domain name (FQDN) of the Key Trustee Server. Cloudera recommends using the default /var/lib/keytrustee/db directory for the PostgreSQL database.

To use a different port for the database, modify the ktadmin init and ktadmin db commands as follows:

$ sudo ktadmin init --external-address keytrustee.example.com --db-connect postgresql://localhost:<port>/keytrustee?host=/tmp
$ sudo ktadmin db --bootstrap --port <port> --pg-rootdir /var/lib/keytrustee/db
If you specify a database directory other than /var/lib/keytrustee/db, create or edit the /etc/sysconfig/keytrustee-db file and add the following line:
ARGS="--pg-rootdir /path/to/db"

The ktadmin init command initializes the Key Trustee configuration directory (/var/lib/keytrustee/.keytrustee by default) and generates a self-signed certificate that Key Trustee Server uses for HTTPS communication.

The ktadmin db --bootstrap command initializes the database in the directory specified by the --pg-rootdir parameter.

The sudo service keytrustee-db stop and sudo service keytrustee-db start commands restart the Key Trustee Server database.

The sudo service keytrusteed start command starts Key Trustee Server.

(Optional) Replace Self-Signed Certificate with CA-Signed Certificate

If you have a CA-signed certificate for Key Trustee Server, see Managing Key Trustee Server Certificates for instructions on how to replace the self-signed certificate.