Known Issues and Workarounds in Cloudera Navigator Key HSM

Key HSM Luna setup not showing the correct login status

When running the keyhsm setup luna command, you are prompted for the Luna HSM slot number and login password. Key HSM then attempts to log into the Luna HSM to verify these settings are correct. In some circumstances, the setup script reports that the login was successful, even if it failed.

Affected Version: 5.14.0

Fixed in Version: 5.16.0

Cloudera Bug: KT-6623

Workaround: Any incorrect settings will cause the Key HSM service to throw an exception upon startup and exit. If the Key HSM service does not start correctly, check the log for the message: "Unable to sign into Luna HSM server. Please rerun application with 'setup' option to configure password." If this message appears, re-run the keyhsm setup luna command, and enter the correct slot number and login password.

Roll key command throws an exception and cannot retrieve metadata for key

When using Key Trustee KMS with Key Trustee Server and Key HSM (backed by an HSM device), if there is significant (> 15 ms ping time) network latency between the Key Trustee Server and the HSM device, then EDEK generation errors can occur during the roll key operation. These errors manifest in the KMS log as errors on the generateEncryptedKey operation. The KMS will recover from these errors on its own, but they may represent a nuisance to the operator.

Affected Version: 5.14.0, 5.16.0

Cloudera Bug: KT-5646

Workaround: When these errors occur, you can use the hadoop key list -metadata command to confirm whether or not the key roll was successful, despite the error condition.

Keys with certain special characters cannot be migrated from Key Trustee Server to Key HSM

If any existing key names in Key Trustee Server use special characters other than hyphen (-), period (.), or underscore (_), or begin with non-alphanumeric characters, the migration to Key HSM fails.

Workaround: Decrypt any data using the affected key names, and re-encrypt it using a new key name without special characters, and retry the migration.

Upgrading Key HSM removes init script and binary

Upgrading Key HSM from 1.4.x to 1.5.x and higher removes the Key HSM init script and /usr/bin/keyhsm binary.

Workaround: Reinstall Key HSM:
$ sudo yum reinstall keytrustee-keyhsm

Key HSM cannot trust Key Trustee Server certificate if it has extended attributes

Key HSM cannot trust the Key Trustee Server certificate if it has extended attributes, and therefore cannot integrate with Key Trustee Server.

Workaround: Import the Key Trustee Server certificate to the Key HSM trust store using Java keytool instead of the keyhsm trust command.