Cloudera Enterprise 6.3.x | Other versions

Installing Key Trustee KMS

  Important:

Following these instructions installs the required software to add the Key Trustee KMS service to your cluster; this enables you to use Cloudera Navigator Key Trustee Server as the underlying keystore for HDFS Transparent Encryption. This does not install Key Trustee Server. See Installing Cloudera Navigator Key Trustee Server for instructions on installing Key Trustee Server. You must install Key Trustee Server before installing and using Key Trustee KMS.

Also, when the Key Trustee KMS role is created, it is tightly bound to the identity of the host on which it is installed. Moving the role to a different host, changing the host name, or changing the IP of the host is not supported.

Key Trustee KMS is a custom Key Management Server (KMS) that uses Cloudera Navigator Key Trustee Server as the underlying keystore, instead of the file-based Java KeyStore (JKS) used by the default Hadoop KMS.

Key Trustee KMS is supported only in Cloudera Manager deployments. You can install the software using parcels or packages, but running Key Trustee KMS outside of Cloudera Manager is not supported.
  Important: If you are using CentOS/Red Hat Enterprise Linux 5.6 or higher, or Ubuntu, which use AES-256 encryption by default for tickets, you must install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy File on all cluster and Hadoop user machines. For JCE Policy File installation instructions, see the README.txt file included in the jce_policy-x.zip file. For additional details about installing JCE, refer to Step 2: Install JCE Policy Files for AES-256 Encryption.

Setting Up an Internal Repository

You must create an internal repository to install Key Trustee KMS. For instructions on creating internal repositories (including Cloudera Manager, CDH, and Cloudera Navigator encryption components), see Configuring a Local Parcel Repository if you are using parcels, or Configuring a Local Package Repository if you are using packages.

Installing Key Trustee KMS Using Parcels

  1. Go to Hosts > Parcels.
  2. Click Configuration and add your internal repository to the Remote Parcel Repository URLs section. See Configuring Cloudera Manager to Use an Internal Remote Parcel Repository for more information.
  3. Download, distribute, and activate the Key Trustee KMS parcel. See Managing Parcels for detailed instructions on using parcels to install or upgrade components.
      Note: The KEYTRUSTEE_SERVER parcel in Cloudera Manager is not the Key Trustee KMS parcel; it is the Key Trustee Server parcel. The parcel name for Key Trustee KMS is KEYTRUSTEE.

Installing Key Trustee KMS Using Packages

  1. After Setting Up an Internal Repository, configure the Key Trustee KMS host to use the repository. See Configuring Hosts to Use the Internal Repository for more information.
  2. Because the keytrustee-keyprovider package depends on the hadoop-kms package, you must add the CDH repository. See Configuring a Local Package Repository for instructions.
  3. Install the keytrustee-keyprovider package using the appropriate command for your operating system:
    • RHEL-compatible 
      sudo yum install keytrustee-keyprovider
    • SLES 
      sudo zypper install keytrustee-keyprovider
    • Ubuntu or Debian 
      sudo apt-get install keytrustee-keyprovider

Post-Installation Configuration

For instructions on installing Key Trustee Server and configuring Key Trustee KMS to use Key Trustee Server, see the following topics:
Page generated August 29, 2019.