HSM-Specific Setup for Cloudera Navigator Key HSM
SafeNet KeySecure
Note: KeySecure was previously named DataSecure, but the Key HSM configuration process is the same
for both.
Prerequisites
Before setting up SafeNet KeySecure, be sure to:
- Set the protocol to NAE-XML
- Set Allow Key and Policy Configuration Operations to enabled
- Set Password Authentication to required
- Disable Client Certificate Authentication
- Set KeySecure Crypto Operations to activated
After entering the Key HSM listener IP address and port, the HSM setup for SafeNet KeySecure prompts for login credentials, the IP address of the KeySecure HSM, and the port number:
-- Ingrian HSM Credential Configuration -- Please enter HSM login USERNAME: keyhsm Please enter HSM login PASSWORD: ****** Please enter HSM IP Address or Hostname: 172.19.1.135 Please enter HSM Port number: 9020
If the connection is successful, the following message is displayed:
Valid address: :[ Successful ]
The KeySecure setup utility then prompts you whether to use SSL:
Use SSL? [Y/n] Y
If you choose to use SSL, Key HSM attempts to resolve the server certificate, and prompts you to trust the certificate:
[0] Version: 3 SerialNumber: 0 IssuerDN: C=US,ST=TX,L=Austin,O=ACME,OU=Dev, CN=172.19.1.135,E=webadmin@example.com Start Date: Thu Jan 29 09:55:57 EST 2015 Final Date: Sat Jan 30 09:55:57 EST 2016 SubjectDN: C=US,ST=TX,L=Austin,O=ACME,OU=Dev, CN=172.19.1.135,E=webadmin@example.com Public Key: RSA Public Key modulus: abe4a8dcef92e145984309bd466b33b35562c7f875 1d1c406b1140e0584890272090424eb347647ba04b 34757cacc79652791427d0d8580a652c106bd26945 384b30b8107f8e15d2deba8a4e868bf17bb0207383 7cffef0ef16d5b5da5cfb4d3625c0affbda6320daf 7c6b6d8adfcb563960fcd1207c059300feb6513408 79dd2d929a5b986517531be93f113c8db780c92ddf 30f5c8bf2b0bea60359b67be306c520358cc0c3fc3 65500d8abeeac99e53cc2b369b2031174e72e6fca1 f9a4639e09240ed6d4a73073885868e814839b09d5 6aa98a5a1e230b46cdb4818321f546ac15567c5968 33be47ef156a73e537fd09605482790714f4a276e5 f126f935 public exponent: 10001 Signature Algorithm: SHA256WithRSAEncryption Signature: 235168c68567b27a30b14ab443388039ff12357f 99ba439c6214e4529120d6ccb4a9b95ab25f81b4 7deb9354608df45525184e75e80eb0948eae3e15 c25c1d58c4f86cb9616dc5c68dfe35f718a0b6b5 56f520317eb5b96b30cd9d027a0e42f60de6dd24 5598d1fcea262b405266f484143a74274922884e 362192c4f6417643da2df6dd1a538d6d5921e78e 20a14e29ca1bb82b57c02000fa4907bd9f3c890a bdae380c0b4dc68710deeaef41576c0f767879a7 90f30a4b64a6afb3a1ace0f3ced17ae142ee6f18 5eff64e8b710606b28563dd99e8367a0d3cbab33 2e59c03cadce3a5f4e0aaa9d9165e96d062018f3 6a7e8e3075c40a95d61ebc8db43d77e7 Extensions: critical(false) BasicConstraints: isCa(true) critical(false) NetscapeCertType: 0xc0 Trust this server? [y/N] Y Trusted server: :[ Successful ]
Thales HSM
By default, the Thales HSM client process listens on ports 9000 and 9001. The Cloudera Manager agent also listens on port 9000. To prevent a port conflict, you must change the Thales client ports. Cloudera recommends using ports 11500 and 11501.
To change the Thales client ports, run the following commands:
$ sudo /opt/nfast/bin/config-serverstartup --enable-tcp --enable-privileged-tcp --port=11500 --privport=11501 $ sudo /opt/nfast/sbin/init.d-ncipher restart
To configure Key HSM to use the modified port, edit the /usr/share/keytrustee-server-keyhsm/start.sh file and add the -DNFAST_SERVER_PORT=11500 Java system property. For example:
java -classpath "*:/usr/safenet/lunaclient/jsp/lib/*:/opt/nfast/java/classes/*" -Djava.library.path=/usr/safenet/lunaclient/jsp/lib/ -DNFAST_SERVER_PORT=11500 com.cloudera.app.run.Program $@
Before completing the Thales HSM setup, run the nfkminfo command to verify that the Thales HSM is properly configured:
$ sudo /opt/nfast/bin/nfkminfo World generation 2 state 0x17270000 Initialised Usable Recovery !PINRecovery !ExistingClient RTC NVRAM FTO !AlwaysUseStrongPrimes SEEDebug
If state reports !Usable instead of Usable, configure the Thales HSM before continuing. See the Thales product documentation for instructions.
After entering the Key HSM listener IP address and port, the HSM setup for Thales prompts for the OCS card password:
Please enter the OCS Card Password (input suppressed): Configuration saved in 'application.properties' file Configuration stored in: 'application.properties'. (Note: You can also use service keyHsm settings to quickly view your current configuration)
Luna HSM
Important: If you have implemented Key Trustee Server high availability, ensure that
the Luna client on each Key Trustee Server is configured with access to the same partition. See the Luna product documentation for instructions on configuring the Luna client.
Before completing the Luna HSM setup, run the vtl verify command (usually located at /usr/safenet/lunaclient/bin/vtl) to verify that the Luna HSM is properly configured.
After entering the Key HSM listener IP address and port, the HSM setup for Luna prompts for the slot number and password:
-- Configuring SafeNet Luna HSM -- Please enter SafeNetHSM Slot Number: 1 Please enter SafeNet HSM password (input suppressed): Configuration stored in: 'application.properties'. (Note: You can also use service keyHsm settings to quickly view your current configuration) Configuration saved in 'application.properties' file
See the Luna product documentation for instructions on configuring your Luna HSM if you do not know what values to enter here.
Page generated May 18, 2018.
<< Initializing Navigator Key HSM | ©2016 Cloudera, Inc. All rights reserved | Validating Key HSM Settings >> |
Terms and Conditions Privacy Policy |