Cloudera Enterprise 6.0.x | Other versions
HSM-Specific Setup for Cloudera Navigator Key HSM
Thales HSM
By default, the Thales HSM client process listens on ports 9000 and 9001. The Cloudera Manager agent also listens on port 9000. To prevent a port conflict, you must change the Thales client ports. Cloudera recommends using ports 11500 and 11501.
To change the Thales client ports, run the following commands:
$ sudo /opt/nfast/bin/config-serverstartup --enable-tcp --enable-privileged-tcp --port=11500 --privport=11501 $ sudo /opt/nfast/sbin/init.d-ncipher restart
To configure Key HSM to use the modified port, edit the /usr/share/keytrustee-server-keyhsm/start.sh file and add the -DNFAST_SERVER_PORT=11500 Java system property. For example:
java -classpath "*:/usr/safenet/lunaclient/jsp/lib/*:/opt/nfast/java/classes/*" -Djava.library.path=/usr/safenet/lunaclient/jsp/lib/ -DNFAST_SERVER_PORT=11500 com.cloudera.app.run.Program $@
Before completing the Thales HSM setup, run the nfkminfo command to verify that the Thales HSM is properly configured:
$ sudo /opt/nfast/bin/nfkminfo
World generation 2
state 0x17270000 Initialised Usable Recovery !PINRecovery !ExistingClient
RTC NVRAM FTO !AlwaysUseStrongPrimes SEEDebugIf state reports !Usable instead of Usable, configure the Thales HSM before continuing. See the Thales product documentation for instructions.
After entering the Key HSM listener IP address and port, the HSM setup for Thales prompts for the OCS card password:
Please enter the OCS Card Password (input suppressed): Configuration saved in 'application.properties' file Configuration stored in: 'application.properties'. (Note: You can also use service keyHsm settings to quickly view your current configuration)
Luna HSM
Important: If you have implemented Key Trustee Server high availability, ensure that
the Luna client on each Key Trustee Server is configured with access to the same partition. See the Luna product documentation for instructions on configuring the Luna client.Before completing the Luna HSM setup, run the vtl verify command (usually located at /usr/safenet/lunaclient/bin/vtl) to verify that the Luna HSM is properly configured.
After entering the Key HSM listener IP address and port, the HSM setup for Luna prompts for the slot number and password:
-- Configuring SafeNet Luna HSM -- Please enter SafeNetHSM Slot Number: 1 Please enter SafeNet HSM password (input suppressed): Configuration stored in: 'application.properties'. (Note: You can also use service keyHsm settings to quickly view your current configuration) Configuration saved in 'application.properties' file
See the Luna product documentation for instructions on configuring your Luna HSM if you do not know what values to enter here.
Page generated September 13, 2018.
| << Initializing Navigator Key HSM | ©2016 Cloudera, Inc. All rights reserved | Validating Key HSM Settings >> |
| Terms and Conditions Privacy Policy |