Known Issues and Workarounds in Cloudera Navigator Key HSM

Keys with certain special characters cannot be migrated from Key Trustee Server to Key HSM

If any existing key names in Key Trustee Server use special characters other than hyphen (-), period (.), or underscore (_), or begin with non-alphanumeric characters, the migration to Key HSM fails.

Workaround: Decrypt any data using the affected key names, and re-encrypt it using a new key name without special characters, and retry the migration.

Upgrading Key HSM removes init script and binary

Upgrading Key HSM from 1.4.x to 1.5.x and higher removes the Key HSM init script and /usr/bin/keyhsm binary.

Workaround: Reinstall Key HSM:
$ sudo yum reinstall keytrustee-keyhsm

Key HSM cannot trust Key Trustee Server certificate if it has extended attributes

Key HSM cannot trust the Key Trustee Server certificate if it has extended attributes, and therefore cannot integrate with Key Trustee Server.

Workaround: Import the Key Trustee Server certificate to the Key HSM trust store using Java keytool instead of the keyhsm trust command.