Known Issues and Workarounds in Cloudera Navigator Key HSM

Roll key command throws an exception and cannot retrieve metadata for key

When using Key Trustee KMS with Key Trustee Server and Key HSM (backed by an HSM device), if there is significant (> 15 ms ping time) network latency between the Key Trustee Server and the HSM device, then EDEK generation errors can occur during the roll key operation. These errors manifest in the KMS log as errors on the generateEncryptedKey operation. The KMS will recover from these errors on its own, but they may represent a nuisance to the operator.

Affected Version: 5.14.0

Cloudera Bug: KT-5646

Workaround: When these errors occur, you can use the hadoop key list -metadata command to confirm whether or not the key roll was successful, despite the error condition.

Keys with certain special characters cannot be migrated from Key Trustee Server to Key HSM

If any existing key names in Key Trustee Server use special characters other than hyphen (-), period (.), or underscore (_), or begin with non-alphanumeric characters, the migration to Key HSM fails.

Workaround: Decrypt any data using the affected key names, and re-encrypt it using a new key name without special characters, and retry the migration.

Upgrading Key HSM removes init script and binary

Upgrading Key HSM from 1.4.x to 1.5.x and higher removes the Key HSM init script and /usr/bin/keyhsm binary.

Workaround: Reinstall Key HSM:
$ sudo yum reinstall keytrustee-keyhsm

Key HSM cannot trust Key Trustee Server certificate if it has extended attributes

Key HSM cannot trust the Key Trustee Server certificate if it has extended attributes, and therefore cannot integrate with Key Trustee Server.

Workaround: Import the Key Trustee Server certificate to the Key HSM trust store using Java keytool instead of the keyhsm trust command.