Archives of Support Questions (Read Only)

mravipati · ‎07-20-2017

Hi,

My cluster is kerbeorized with KMS. When I execute the following command I am getting the below error. Could anyone help me on this asap.

curl --negotiate -u : -X GET http://<clustername>:9292/kms/v1/keyversion/<keyname@0/_eek?ee_op=decrypt

{ "RemoteException" : { "message" : null, "exception" : "WebApplicationException", "javaClassName" : "javax.ws.rs.WebApplicationException" }

In the kms-audit.log I see the following error "ErrorMsg:'Authentication required' saying that Authentication required.

I specified --negotiate option and -u option as well.

But the below command is working

curl --negotiate -u : -X GET http://<clustername>:9292/kms/v1/keyversion/<keyname@0

{ "name" : "<keyname", "versionName" : "<keyname>@0", "material" : "<some value>" }

The user with which the command is being executed has the valid Kerberos ticket and decrypt permissions also set with Ranger kms web ui

VR46 · ‎07-20-2017

Hello @mravipati,

In order to decrypt an EEK, first you'll need to generate one. Here's what is working for me:

1. Generate EEK

# curl --negotiate -u : -iv -X GET  "http://<kms-host-fqdn>:9292/kms/v1/key/hr1-ez-key/_eek?eek_op=generate&num_keys=1"

2. Store the EEK data into a json:

# cat eek.json
{
  "name" : "hr1-ez-key",
  "iv" : "38Eb8nTxxxxxUG7Rc6_wrA",
  "material" : "K8Q0bv8Hxxxxxxn9ByVnT-xxx-Bmwxxxxxy1buCk"
}

3. Call decrypt EEK while passing above EEK data:

# curl --negotiate -u : -iv -X POST -H "Content-Type: application/json" -d @./eek.json  "http://<kms-host-fqdn>:9292/kms/v1/keyversion/hr1-ez-key@0/_eek?eek_op=decrypt"

Please note the change in REST URL and keyname while making decrypt request.

The error you are getting is because you are trying to do a GET request on a URL which is expecting a POST request.

Hope this helps!

View solution in original post

VR46 · ‎07-20-2017