Known Issues and Workarounds in Cloudera Navigator HSM KMS

Timeout error during encryption zone key creation

There are situations where the key cache is synchronously populated to capacity during the create encryption zone operation. The expected behavior is that the key cache is synchronously populated only to the low watermark level (the rest of the keys should be created asynchronously).

Workaround: On the HSM KMS, in the field HSM KMS Proxy Advanced Configuration Snippet (Safety Valve) for kms-site.xml:
  • .05
  • 30
On the HDFS, in the field HDFS Cluster-wide Advanced Configuration Snippet (Safety Valve) for core-site.xml:
  • 30
  • .05

Affected Version: 5.13.0

Key description is not synchronized with the second metastore

If the description option is specified as the argument in a Hadoop key create command, then the description information is stored only on the KMS instance that responds to the create request. The description metadata is not synchronized to the other KMS instances in the role group. This does not affect normal key operations.

Workaround: Use the -provider argument on the key list operation to target key queries to a specific KMS instance.

Affected Version(s): 5.12.0

Fixed Version: 5.12.1

HSM KMS Luna may need to be restarted if inactive for extended period

If Hadoop key operations return com.safenetinc.luna.exception.LunaCryptokiException after the KMS has been running without activity for an extended period time, the Luna session may have been dropped.

Workaround: Restart the KMS service.

Affected Version(s): 5.12.0,

Creating multiple instances of HSM KMS on the same host and port causes an error upon delete

Creating a KMS role instance on a host that previously hosted a KMS role instance in the same role group that had its data directories deleted results in errors when attempting to run Hadoop key delete operations.

Workaround: This workaround requires the assistance of Cloudera support; request assistance with issue KT-4992

Incorrect status for "Restart stale services" step in HDFS encryption wizard post-service installation

There are times when completion of the HDFS Encryption Wizard does not show an active "Restart stale services and redeploy client configuration" link.

Workaround: Refresh the page and the link should become active.

The encryption wizard continues to fail if there is a failure during initial configuration run

The encryption wizard continues to fail if there was a failure during the initial run configuring HSM KMS.

Workaround: Open Cloudera Manager in another browser tab, and manually stop the installed KMS by clicking the arrow next to the KMS and selecting Stop. Then retry the installation in the new tab after correcting the cause of the install failure.

Before installing the Thales backed HSM KMS, you must add the KMS user to the nfast group

After installation of the Thales HSM client, and before installing Navigator HSM KMS backed by Thales HSM, you must add the KMS user to the nfast group..

Workaround: Run the following command to manually add the KMS user to the nfast group:usermod -a -G nfast kms