Cloudera Enterprise 5.15.x | Other versions

Validating Key HSM Settings

After the setup completes, the Key HSM configuration is stored in /usr/share/keytrustee-server-keyhsm/application.properties.

You can view these settings using the service keyhsm settings command:
$ sudo service keyhsm settings

  # keyHsm Server Configuration information:
  keyhsm.management.address : 172.19.1.2
  keyhsm.server.port : 9090
  keyhsm.management.port : 9899
  keyhsm.service.port : 19791
  keyhsm.hardware : ncipher

  # Module OCS Password
  thales.ocs_password :
    GIqhXDuZsj1Oet137Lb+f+tqkYvKYDm/8StefpNqZWwlB+LfSYlB4eHd
    endtYJio8qLjjbT+e7j2th5xf8O9t8FwfVguuyFW+6wdD
    uNGvse1LY/itCwqF0ScMlB1Mnz4010xqC6ylPW7l+0JjjkkqqM5gJJbl8lsQFFaIGVM/pY=

These settings can be manually configured by modifying the application.properties file, with the exception of any passwords. These are encrypted by design, and can only be changed by re-running the setup utility.

Verifying Key HSM Connectivity to HSM

To verify Hardware Security Module (HSM) operations using Key HSM, run the following command on the Key Trustee Server host (which should also be the Key HSM host as described in Installing Cloudera Navigator Key HSM):

$ curl -k https://keytrustee01.example.com:11371/test_hsm

If Key HSM operations to the HSM are successful, the command returns output similar to the following:

"Sample Key TEST_HELLO_DEPOSIT2016-06-03-072718 has been created"

You must run this command from the Key Trustee Server host. If you run it from a different host, the command returns an HTTP 403 error code.

If the command returns an HTTP 405 error code, restart Key Trustee Server and try again.
  Note: If you are using the test_hsm script to verify that the Key Hardware Security Module (Key HSM) has successfully integrated with the Key Trustee Server, or to verify that the Key HSM is connected to HSM, and the Key Trustee Server private key file is password-protected, then the verification may fail. This can occur even if the integration is successful or connected.

If this occurs, then create a key through Hadoop for the test.

Page generated May 18, 2018.