question Re: Do we need Cloudera Navigator to Install KMS and KTS? in Support Questions

Do we need Cloudera Navigator to Install KMS and KTS?

Mondi — Fri, 07 Aug 2020 02:17:31 GMT

We are planning to install KMS and KTS but do we need Cloudera Navigator to Install KMS and KTS? if not required, then how to install it without Cloudera Navigator?

Re: Do we need Cloudera Navigator to Install KMS and KTS?

paras — Fri, 07 Aug 2020 08:09:48 GMT

@Mondi

You do not need to install Cloudera Navigator for KMS and KTS.

Refer : https://docs.cloudera.com/documentation/enterprise/6/6.3/topics/encryption_prereqs.html#concept_g23_454_y5__section_n4w_b5v_ls

Please refer below documents for encrypting data at rest requirement and installing KMS and KTS. You must install Key Trustee Server before installing and using Key Trustee KMS.

https://docs.cloudera.com/documentation/enterprise/6/6.3/topics/encryption_planning.html#concept_c4m_knq_w5

https://docs.cloudera.com/documentation/enterprise/6/6.3/topics/key_trustee_install.html#xd_583c10bfdbd326ba-590cb1d1-149e9ca9886--7b84

https://docs.cloudera.com/documentation/enterprise/6/6.3/topics/cm_ig_install_keytrustee.html#xd_583c10bfdbd326ba-590cb1d1-149e9ca9886--7860

Hope this helps,
Paras
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Re: Do we need Cloudera Navigator to Install KMS and KTS?

Mondi — Mon, 10 Aug 2020 01:40:05 GMT

Hi @paras , do I need to install this first? how can I know if I have already installed key trustee server?

Re: Do we need Cloudera Navigator to Install KMS and KTS?

paras — Mon, 10 Aug 2020 13:25:38 GMT

@Mondi

Cloudera provides two implementations of the Hadoop KMS. Refer below document for more details.

https://docs.cloudera.com/documentation/enterprise/latest/topics/cdh_sg_kms.html

You need to install Key Trustee KMS only when using KTS as backing keystore instead of the file-based Java KeyStore (JKS) used by the default Hadoop KMS.

There should be a separate cluster for keytrustee server. This would be mentioned as one of the steps when you enable HDFS encryption via the wizard.

Refer below document

https://docs.cloudera.com/documentation/enterprise/6/6.3/topics/sg_hdfs_encryption_wizard.html#concept_n2p_5vq_vt

Hope this helps,
Paras
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Re: Do we need Cloudera Navigator to Install KMS and KTS?

Mondi — Tue, 11 Aug 2020 10:28:11 GMT

Hi @paras

thanks for replying. if my understanding is correct, you mean that my KMS or KTS server must be in a different cluster? the server must no be registered on the same cluster?

Also do we need SSL for the KMS? we are planning to install the default Hadoop KMS Java Keystore KMS.

Re: Do we need Cloudera Navigator to Install KMS and KTS?

paras — Tue, 11 Aug 2020 13:53:16 GMT

@Mondi

KMS service should be installed on your CDH cluster. Before installing KMS, you should have a dedicated cluster added using the Cloudera manager Add Cluster option which has the KTS service roles installed.

If you are installing default Hadoop KMS Java Keystore KMS, the above can be ignored since the default Hadoop KMS included in CDH uses a file-based Java KeyStore (JKS) for its backing keystore. You can simply add the service from Cloudera Manager.

Cloudera strongly recommends that you enable TLS for both the HDFS and the Key Trustee KMS services to prevent the passage of plain text key material between the KMS and HDFS data nodes.

Refer below document

https://docs.cloudera.com/documentation/enterprise/latest/topics/sg_hdfs_encryption_wizard.html#concept_fcq_phr_wt

Hope this helps,
Paras
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Re: Do we need Cloudera Navigator to Install KMS and KTS?

Mondi — Wed, 12 Aug 2020 01:56:40 GMT

Thanks for your answer. @paras one more thing, Java Keystore KMS requires SSL? can I do encryption without an SSL using Java Keystore KMS?

Re: Do we need Cloudera Navigator to Install KMS and KTS?

paras — Wed, 12 Aug 2020 15:24:54 GMT

@Mondi

It is not compulsory to enable SSL but recommended to prevent the passage of plain text key material between the KMS and HDFS data nodes.

You can continue to install Java Keystore KMS without adding SSL configurations.

Hope this helps,
Paras
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.