Integrating Key HSM with Key Trustee Server
- Check Existing Key Names (for existing Key Trustee Server users only)
- Establish Trust from Key HSM to Key Trustee Server
- Integrate Key HSM and Key Trustee Server
Check Existing Key Names
During the process detailed below, you are prompted to migrate any existing keys from the Key Trustee Server to the HSM.
- Key names can begin with alpha-numeric characters only
- Key names can include only these special characters:
- Hyphen -
- Period .
- Underscore _
- Decrypt any data using the non-conforming key
- Create a new key, named per the requirements
- Re-encrypt the data using the new key
Establish Trust from Key HSM to Key Trustee Server
$ sudo keyhsm trust /path/to/key_trustee_server/cert
Integrate Key HSM and Key Trustee Server
The steps below assume that both Key HSM and the Key Trustee Server are on the same host system, as detailed in Installing Cloudera Navigator Key HSM. These steps invoke commands on the Key HSM service and the Key Trustee Server, and they must be run on the host—they cannot be run remotely from another host.
- Ensure the Key HSM service is running:
$ sudo service keyhsm start
- Establish trust from Key Trustee Server to Key HSM specifying the path to the private key and certificate (Key Trustee Server is a client to Key HSM). This example shows how to use the
--client-certfile and --client-keyfile options to specify the path to non-default certificate and key:
$ sudo ktadmin keyhsm --server https://keyhsm01.example.com:9090 \ --client-certfile /etc/pki/cloudera/certs/mycert.crt \ --client-keyfile /etc/pki/cloudera/certs/mykey.key --trustFor a password-protected Key Trustee Server private key, add the --passphrase argument to the command and enter the password when prompted:
$ sudo ktadmin keyhsm --passphrase \ --server https://keyhsm01.example.com:9090 \ --client-certfile /etc/pki/cloudera/certs/mycert.crt \ --client-keyfile /etc/pki/cloudera/certs/mykey.key --trust
- Restart Key Trustee Server:
- Using Cloudera Manager: Restart the Key Trustee Server service ( ).
- Using the Command Line: Restart the Key Trustee Server daemon:
- RHEL 6-compatible: $ sudo service keytrusteed restart
- RHEL 7-compatible: $ sudo systemctl restart keytrusteed
- Verify connectivity between the Key HSM service and the HSM as follows:
$ curl -k https://keytrustee01.example.com:11371/test_hsmSuccessful connection and test of operations returns output like the following:
"Sample Key TEST_HELLO_DEPOSIT2016-06-03-072718 has been created"See Verifying Key HSM Connectivity to HSM for more information about the validation process.