Known Issues and Workarounds in Cloudera Navigator Key Trustee Server

Key Trustee KMS cannot connect to Key Trustee Server using TLS versions other than 1.0 on JDK 7

If you have configured Key Trustee Server to use a TLS version other than 1.0, Key Trustee KMS fails to connect to Key Trustee Server, and key operations fail when using JDK 7.

Workaround: Use TLS version 1.0 only, or JDK 8.

Key Trustee Server cannot use TLS version 1.2 on RHEL 6

Configuring Key Trustee Server to use TLS version 1.2 causes Key Trustee Server to be unable to start.

Workaround: Use your operating system package manager to upgrade the pyOpenSSL package to version 1.4 or higher, or do not configure Key Trustee Server to use TLS version 1.2.

Upgraded passive Key Trustee Server fails to start due to incorrect ownership of recovery.conf

Passive Key Trustee Servers upgraded from Key Trustee Server 3.8.x or lower fail to start with the following error:
WARNING:root:stdout pg_basebackup: directory "/var/lib/pgsql/9.3/keytrustee" exists but is not empty
Traceback (most recent call last):
  File "/usr/bin/ktadmin", line 484, in <module>
  File "/usr/bin/ktadmin", line 473, in main
  File "/usr/bin/ktadmin", line 349, in init_slave
    pgsetup.base_backup(ARGS.pg_rootdir, ARGS.master, PKG, run_as=ARGS.postgres_user)
  File "/usr/lib/python2.6/site-packages/keytrustee/server/setup/", line 206, in base_backup
    run([pg_basebackup, '-D', dest, '--host=%s' % master_ip, '--port=%d' % port, '--username=%s' % db_user], run_as=run_as)
  File "/usr/lib/python2.6/site-packages/keytrustee/", line 145, in run
    raise subprocess.CalledProcessError(p.returncode, cmd)
subprocess.CalledProcessError: Command '['/usr/pgsql-9.3/bin/pg_basebackup', '-D', '/var/lib/pgsql/9.3/keytrustee', '', '--port=5432', '--username=keytrustee']' returned non-zero exit status 1
Workaround: Change the owner and group of /var/lib/pgsql/9.3/keytrustee/recovery.conf to postgres:
$ sudo chown postgres:postgres /var/lib/pgsql/9.3/keytrustee/recovery.conf

Key Trustee Server PKCS8 private key cannot communicate with Key HSM

If its private key is in PKCS8 format, Key Trustee Server cannot communicate with Key HSM.

Workaround: Convert the Key Trustee Server private key to raw RSA format.

Key Trustee Server backup script fails if PostgreSQL versions lower than 9.3 are installed

If PostgreSQL versions lower than 9.3 are installed on the Key Trustee Server host, the script fails with an error similar to the following:

pg_dump: server version: 9.3.11; pg_dump version: 9.2.14
pg_dump: aborting because of server version mismatch 

Workaround: Uninstall the lower PostgreSQL version.

Key migration fails when password-protected certificates are stored in a non-default location

Key migration from Key Trustee Server to Key HSM fails when using password-protected certificates in a non-default location.

Workaround: Use the --passphrase option with the ktadmin keyhsm command to prompt for the password. See Integrating Key HSM with Key Trustee Server for more information.