HSM-Specific Setup for Cloudera Navigator Key HSM
SafeNet KeySecure
Prerequisites
Before setting up SafeNet KeySecure, be sure to:
- Set the protocol to NAE-XML
- Set Allow Key and Policy Configuration Operations to enabled
- Set Password Authentication to required
- Disable Client Certificate Authentication
- Set KeySecure Crypto Operations to activated
-- Ingrian HSM Credential Configuration -- Please enter HSM login USERNAME: keyhsm Please enter HSM login PASSWORD: ****** Please enter HSM IP Address or Hostname: 172.19.1.135 Please enter HSM Port number: 9020
Valid address: :[ Successful ]
Use SSL? [Y/n] Y
[0] Version: 3 SerialNumber: 0 IssuerDN: C=US,ST=TX,L=Austin,O=ACME,OU=Dev, CN=172.19.1.135,[email protected] Start Date: Thu Jan 29 09:55:57 EST 2015 Final Date: Sat Jan 30 09:55:57 EST 2016 SubjectDN: C=US,ST=TX,L=Austin,O=ACME,OU=Dev, CN=172.19.1.135,[email protected] Public Key: RSA Public Key modulus: abe4a8dcef92e145984309bd466b33b35562c7f875 1d1c406b1140e0584890272090424eb347647ba04b 34757cacc79652791427d0d8580a652c106bd26945 384b30b8107f8e15d2deba8a4e868bf17bb0207383 7cffef0ef16d5b5da5cfb4d3625c0affbda6320daf 7c6b6d8adfcb563960fcd1207c059300feb6513408 79dd2d929a5b986517531be93f113c8db780c92ddf 30f5c8bf2b0bea60359b67be306c520358cc0c3fc3 65500d8abeeac99e53cc2b369b2031174e72e6fca1 f9a4639e09240ed6d4a73073885868e814839b09d5 6aa98a5a1e230b46cdb4818321f546ac15567c5968 33be47ef156a73e537fd09605482790714f4a276e5 f126f935 public exponent: 10001 Signature Algorithm: SHA256WithRSAEncryption Signature: 235168c68567b27a30b14ab443388039ff12357f 99ba439c6214e4529120d6ccb4a9b95ab25f81b4 7deb9354608df45525184e75e80eb0948eae3e15 c25c1d58c4f86cb9616dc5c68dfe35f718a0b6b5 56f520317eb5b96b30cd9d027a0e42f60de6dd24 5598d1fcea262b405266f484143a74274922884e 362192c4f6417643da2df6dd1a538d6d5921e78e 20a14e29ca1bb82b57c02000fa4907bd9f3c890a bdae380c0b4dc68710deeaef41576c0f767879a7 90f30a4b64a6afb3a1ace0f3ced17ae142ee6f18 5eff64e8b710606b28563dd99e8367a0d3cbab33 2e59c03cadce3a5f4e0aaa9d9165e96d062018f3 6a7e8e3075c40a95d61ebc8db43d77e7 Extensions: critical(false) BasicConstraints: isCa(true) critical(false) NetscapeCertType: 0xc0 Trust this server? [y/N] Y Trusted server: :[ Successful ]
CloudHSM
$ /opt/cloudhsm/bin/cloudhsm_mgmt_util /opt/cloudhsm/etc/cloudhsm_mgmt_util.cfg Connecting to the server(s), it may take time depending on the server(s) load, please wait... Connecting to server '<hsm ip>': hostname '<hsm ip>', port 2225... Connected to server '<hsm ip>': hostname '<hsm ip>', port 2225. aws-cloudhsm>quit
-- Configuring CloudHSM -- Please enter the crypto user name: <username> Please enter the crypto user password (input suppressed): Configuration saved in 'application.properties' file Configuration stored in: 'application.properties'. (Note: You can also use keyhsm settings to quickly view your current configuration)
Thales HSM
By default, the Thales HSM client process listens on ports 9000 and 9001. The Cloudera Manager agent also listens on port 9000. To prevent a port conflict, you must change the Thales client ports. Cloudera recommends using ports 11500 and 11501.
sudo /opt/nfast/bin/config-serverstartup --enable-tcp --enable-privileged-tcp --port=11500 --privport=11501 sudo /opt/nfast/sbin/init.d-ncipher restart
java -classpath "*:/usr/safenet/lunaclient/jsp/lib/*:/opt/nfast/java/classes/*" -Djava.library.path=/usr/safenet/lunaclient/jsp/lib/ -DNFAST_SERVER_PORT=11500 com.cloudera.app.run.Program $@
$ sudo /opt/nfast/bin/nfkminfo World generation 2 state 0x17270000 Initialised Usable Recovery !PINRecovery !ExistingClient RTC NVRAM FTO !AlwaysUseStrongPrimes SEEDebug
If state reports !Usable instead of Usable, configure the Thales HSM before continuing. See the Thales product documentation for instructions.
Please enter the OCS Card Password (input suppressed): Configuration saved in 'application.properties' file Configuration stored in: 'application.properties'. (Note: You can also use service keyHsm settings to quickly view your current configuration)
Luna HSM
Before completing the Luna HSM setup, run the vtl verify command (usually located at /usr/safenet/lunaclient/bin/vtl) to verify that the Luna HSM is properly configured.
-- Configuring SafeNet Luna HSM -- Please enter SafeNetHSM Slot Number: 1 Please enter SafeNet HSM password (input suppressed): Configuration stored in: 'application.properties'. (Note: You can also use service keyHsm settings to quickly view your current configuration) Configuration saved in 'application.properties' file
See the Luna product documentation for instructions on configuring your Luna HSM if you do not know what values to enter here.