Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

CDH 5.5 KeyTrustee KMS 5.5 No Longer on Add Service List

Solved Go to solution
Highlighted

CDH 5.5 KeyTrustee KMS 5.5 No Longer on Add Service List

Contributor

Just upgraded one of our Lab's Clusters to CDH 5.5 and it failed on the starting KMS 5.4.3 against KTS 5.4.3 which stopped the upgrade.  So I removed KMS and started the upgrade again.  This went through cleanly.  I noticed that there is a KEYTRUSTEE 5.5, so I downloaded and activated.  But I cannot add it as a Service as it does not appear on the Add Service list.  The Java Keystore KMS still appears.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: CDH 5.5 KeyTrustee KMS 5.5 No Longer on Add Service List

Hi Shailesh,

We don't permit the Key Trustee stuff in trial anymore for 5.5 since we didn't want people to see an option for which they can't install the bits. Key Trustee Server bits aren't publicly available.

You seem to be in a special situation where you actually do have a license to use Key Trustee Server, but your CM doesn't have an enterprise license installed. Please work with your account team to get this license for CM, which should be included with any Cloudera subscription.

Thanks,
Darren
9 REPLIES 9

Re: CDH 5.5 KeyTrustee KMS 5.5 No Longer on Add Service List

Hi Shailesh,

Are you logged in as a user with role "Cluster Administrator"?

In CM5.5, we restrict access to all HDFS encryption configuration features including adding KMS (either kind) to the newly created "Key Administrator" role. Full admins will also have access (since they can access everything). Cluster admins will not. This change was made to meet security requirements / best practices around "separation of duties".

There's also a new wizard to enable HDFS Encryption, which I highly suggest using. Please find documentation here:
http://www.cloudera.com/content/www/en-us/documentation/enterprise/latest/topics/sg_hdfs_encryption_...

Thanks,
Darren

Re: CDH 5.5 KeyTrustee KMS 5.5 No Longer on Add Service List

Contributor

I am using the Full Administrator admin which was created when the cluster was initially created.  Just checked the Role and it says Full Administrator.  I'll take a look at the new HDFS Data Encryption wizard as well.

Re: CDH 5.5 KeyTrustee KMS 5.5 No Longer on Add Service List

Contributor

I also created a new account with Full Administrator and Key Administrator privileges.  None of these display the KEYTRUSTEE KMS Service.  Also tried the wizard and it does not allow the selection of Cloudera Navigator Key Trustee Server radio button.  Any ideas?

Re: CDH 5.5 KeyTrustee KMS 5.5 No Longer on Add Service List

That's unexpected then. I see it on our 5.5 clusters in the Add Service Wizard options for a full admin user.

Can you check this endpoint and see if you have a Key Trustee KMS CSD installed:
<host>:7180/cmf/csd/list

You should see an entry in the JSON under "availableCsds" saying:
"csdName": "KEYTRUSTEE-5.5.0"

The only other entry with "KEYTRUSTEE" in the name should be "KEYTRUSTEE_SERVER-5.5.0".

If you've got an extra copy of the CSD lying around, you should remove it (it's probably in /opt/cloudera/csds on the CM server host) and restart CM.

To be extra safe, you may want to back up anything in /var/lib/ that has "keytrustee" or "kms" in it, just to ensure you don't lose your Key Trustee KMS encryption keys, which would cause you to lose all of your encrypted data.

Thanks,
Darren

Re: CDH 5.5 KeyTrustee KMS 5.5 No Longer on Add Service List

Forgot to mention, you also need a license to use any of the Key Trustee stuff. What license do you have?

Java Keystore KMS does not require any license.

Re: CDH 5.5 KeyTrustee KMS 5.5 No Longer on Add Service List

Contributor

This is what came back from the URI stem:

 

{"message":"OK","data":{"externalRootPath":"/opt/cloudera/csd","internalRootPath":"/usr/share/cmf/csd","availableCsds":[{"csdName":"ACCUMULO-5.5.0","serviceType":"ACCUMULO","source":"/usr/share/cmf/csd/ACCUMULO-5.5.0.jar","isInstalled":true},{"csdName":"ACCUMULO16-5.5.0","serviceType":"ACCUMULO16","source":"/usr/share/cmf/csd/ACCUMULO16-5.5.0.jar","isInstalled":true},{"csdName":"HIVE-5.5.0","serviceType":"HIVE","source":"/usr/share/cmf/csd/HIVE-5.5.0.jar","isInstalled":true},{"csdName":"HUE-5.5.0","serviceType":"HUE","source":"/usr/share/cmf/csd/HUE-5.5.0.jar","isInstalled":true},{"csdName":"ISILON-5.5.0","serviceType":"ISILON","source":"/usr/share/cmf/csd/ISILON-5.5.0.jar","isInstalled":true},{"csdName":"KAFKA-5.5.0","serviceType":"KAFKA","source":"/usr/share/cmf/csd/KAFKA-5.5.0.jar","isInstalled":true},{"csdName":"KEYTRUSTEE-5.5.0","serviceType":"KEYTRUSTEE","source":"/usr/share/cmf/csd/KEYTRUSTEE-5.5.0.jar","isInstalled":true},{"csdName":"KEYTRUSTEE_SERVER-5.5.0","serviceType":"KEYTRUSTEE_SERVER","source":"/usr/share/cmf/csd/KEYTRUSTEE_SERVER-5.5.0.jar","isInstalled":true},{"csdName":"KMS-5.5.0","serviceType":"KMS","source":"/usr/share/cmf/csd/KMS-5.5.0.jar","isInstalled":true},{"csdName":"SPARK-5.5.0","serviceType":"SPARK","source":"/usr/share/cmf/csd/SPARK-5.5.0.jar","isInstalled":true},{"csdName":"SPARK_ON_YARN-5.5.0","serviceType":"SPARK_ON_YARN","source":"/usr/share/cmf/csd/SPARK_ON_YARN-5.5.0.jar","isInstalled":true},{"csdName":"SPARK_ON_YARN53-5.5.0","serviceType":"SPARK_ON_YARN","source":"/usr/share/cmf/csd/SPARK_ON_YARN53-5.5.0.jar","isInstalled":true},{"csdName":"SPARK_ON_YARN54-5.5.0","serviceType":"SPARK_ON_YARN","source":"/usr/share/cmf/csd/SPARK_ON_YARN54-5.5.0.jar","isInstalled":true},{"csdName":"SQOOP_CLIENT-5.5.0","serviceType":"SQOOP_CLIENT","source":"/usr/share/cmf/csd/SQOOP_CLIENT-5.5.0.jar","isInstalled":true}],"placeholderHandlers":[],"invalidCsds":{},"repoEnabled":true}}

Re: CDH 5.5 KeyTrustee KMS 5.5 No Longer on Add Service List

Looks like Key Trustee KMS is installed correctly. How about your license?

Re: CDH 5.5 KeyTrustee KMS 5.5 No Longer on Add Service List

Contributor

We are licenced for 5.4.3 KTS which worked with KMS 5.4.3.  Has the licensing changed?  Btw this cluster is using Trial Data Hub Licence, does that make a difference?

Re: CDH 5.5 KeyTrustee KMS 5.5 No Longer on Add Service List

Hi Shailesh,

We don't permit the Key Trustee stuff in trial anymore for 5.5 since we didn't want people to see an option for which they can't install the bits. Key Trustee Server bits aren't publicly available.

You seem to be in a special situation where you actually do have a license to use Key Trustee Server, but your CM doesn't have an enterprise license installed. Please work with your account team to get this license for CM, which should be included with any Cloudera subscription.

Thanks,
Darren