Known Issues and Workarounds in Key Trustee KMS
Cannot re-encrypt an encryption zone if a previous re-encryption on it was canceled
When canceling a re-encryption on an encryption zone, the status of the re-encryption may continue to show "Processing". When this occurs, future re-encrypt commands for this encryption zone will fail inside the NameNode, and the re-encryption will never complete.
Workaround: To halt, or remove the "Processing" status for the encryption zone, re-issue the cancel re-encryption command on the encryption zone. If a new re-encryption command is required for this encryption zone, restart the NameNode before issuing the command.
Affected Version: 5.13.0
Adding Key Trustee KMS 5.4 to Cloudera Manager 5.5 displays warning
Adding the Key Trustee KMS service to a CDH 5.4 cluster managed by Cloudera Manager 5.5 displays the following message, even if Key Trustee KMS is installed:
"The following selected services cannot be used due to missing components: keytrustee-keyprovider. Are you sure you wish to continue with them?"
Workaround: Verify that the Key Trustee KMS parcel or package is installed and click OK to continue adding the service.
Affected Version: 5.4
KMS and Key Trustee ACLs do not work in Cloudera Manager 5.3
ACLs configured for the KMS (File) and KMS (Navigator Key Trustee) services do not work since these services do not receive the values for hadoop.security.group.mapping and related group mapping configuration properties.
KMS (File): Add all configuration properties starting with hadoop.security.group.mapping from the NameNode core-site.xml to the KMS (File) property, Key Management Server Advanced Configuration Snippet (Safety Valve) for core-site.xml
KMS (Navigator Key Trustee): Add all configuration properties starting with hadoop.security.group.mapping from the NameNode core-site.xml to the KMS (Navigator Key Trustee) property, Key Management Server Proxy Advanced Configuration Snippet (Safety Valve) for core-site.xml.
Affected Version: 5.3
The Key Trustee KMS service fails to start if the Trust Store is configured without also configuring the Keystore
If you configure the Key Trustee KMS service Key Management Server Proxy TLS/SSL Certificate Trust Store File and Key Management Server Proxy TLS/SSL Certificate Trust Store Password parameters without also configuring the Key Management Server Proxy TLS/SSL Server JKS Keystore File Location and Key Management Server Proxy TLS/SSL Server JKS Keystore File Password parameters, the Key Trustee KMS service does not start.
Workaround: Configure all Trust Store and Keystore parameters.
Key Trustee KMS backup script fails if PostgreSQL versions lower than 9.3 are installed
If PostgreSQL versions lower than 9.3 are installed on the Key Trustee KMS host, the ktbackup.sh script fails with an error similar to the following:
pg_dump: server version: 9.3.11; pg_dump version: 9.2.14 pg_dump: aborting because of server version mismatch
Workaround: Uninstall the lower PostgreSQL version.