Support Questions

Find answers, ask questions, and share your expertise

CDH 5.5 KeyTrustee KMS 5.5 No Longer on Add Service List

avatar
Contributor

Just upgraded one of our Lab's Clusters to CDH 5.5 and it failed on the starting KMS 5.4.3 against KTS 5.4.3 which stopped the upgrade.  So I removed KMS and started the upgrade again.  This went through cleanly.  I noticed that there is a KEYTRUSTEE 5.5, so I downloaded and activated.  But I cannot add it as a Service as it does not appear on the Add Service list.  The Java Keystore KMS still appears.

1 ACCEPTED SOLUTION

avatar
Hi Shailesh,

We don't permit the Key Trustee stuff in trial anymore for 5.5 since we didn't want people to see an option for which they can't install the bits. Key Trustee Server bits aren't publicly available.

You seem to be in a special situation where you actually do have a license to use Key Trustee Server, but your CM doesn't have an enterprise license installed. Please work with your account team to get this license for CM, which should be included with any Cloudera subscription.

Thanks,
Darren

View solution in original post

9 REPLIES 9

avatar
Hi Shailesh,

Are you logged in as a user with role "Cluster Administrator"?

In CM5.5, we restrict access to all HDFS encryption configuration features including adding KMS (either kind) to the newly created "Key Administrator" role. Full admins will also have access (since they can access everything). Cluster admins will not. This change was made to meet security requirements / best practices around "separation of duties".

There's also a new wizard to enable HDFS Encryption, which I highly suggest using. Please find documentation here:
http://www.cloudera.com/content/www/en-us/documentation/enterprise/latest/topics/sg_hdfs_encryption_...

Thanks,
Darren

avatar
Contributor

I am using the Full Administrator admin which was created when the cluster was initially created.  Just checked the Role and it says Full Administrator.  I'll take a look at the new HDFS Data Encryption wizard as well.

avatar
Contributor

I also created a new account with Full Administrator and Key Administrator privileges.  None of these display the KEYTRUSTEE KMS Service.  Also tried the wizard and it does not allow the selection of Cloudera Navigator Key Trustee Server radio button.  Any ideas?

avatar
That's unexpected then. I see it on our 5.5 clusters in the Add Service Wizard options for a full admin user.

Can you check this endpoint and see if you have a Key Trustee KMS CSD installed:
<host>:7180/cmf/csd/list

You should see an entry in the JSON under "availableCsds" saying:
"csdName": "KEYTRUSTEE-5.5.0"

The only other entry with "KEYTRUSTEE" in the name should be "KEYTRUSTEE_SERVER-5.5.0".

If you've got an extra copy of the CSD lying around, you should remove it (it's probably in /opt/cloudera/csds on the CM server host) and restart CM.

To be extra safe, you may want to back up anything in /var/lib/ that has "keytrustee" or "kms" in it, just to ensure you don't lose your Key Trustee KMS encryption keys, which would cause you to lose all of your encrypted data.

Thanks,
Darren

avatar
Forgot to mention, you also need a license to use any of the Key Trustee stuff. What license do you have?

Java Keystore KMS does not require any license.

avatar
Contributor

This is what came back from the URI stem:

 

{"message":"OK","data":{"externalRootPath":"/opt/cloudera/csd","internalRootPath":"/usr/share/cmf/csd","availableCsds":[{"csdName":"ACCUMULO-5.5.0","serviceType":"ACCUMULO","source":"/usr/share/cmf/csd/ACCUMULO-5.5.0.jar","isInstalled":true},{"csdName":"ACCUMULO16-5.5.0","serviceType":"ACCUMULO16","source":"/usr/share/cmf/csd/ACCUMULO16-5.5.0.jar","isInstalled":true},{"csdName":"HIVE-5.5.0","serviceType":"HIVE","source":"/usr/share/cmf/csd/HIVE-5.5.0.jar","isInstalled":true},{"csdName":"HUE-5.5.0","serviceType":"HUE","source":"/usr/share/cmf/csd/HUE-5.5.0.jar","isInstalled":true},{"csdName":"ISILON-5.5.0","serviceType":"ISILON","source":"/usr/share/cmf/csd/ISILON-5.5.0.jar","isInstalled":true},{"csdName":"KAFKA-5.5.0","serviceType":"KAFKA","source":"/usr/share/cmf/csd/KAFKA-5.5.0.jar","isInstalled":true},{"csdName":"KEYTRUSTEE-5.5.0","serviceType":"KEYTRUSTEE","source":"/usr/share/cmf/csd/KEYTRUSTEE-5.5.0.jar","isInstalled":true},{"csdName":"KEYTRUSTEE_SERVER-5.5.0","serviceType":"KEYTRUSTEE_SERVER","source":"/usr/share/cmf/csd/KEYTRUSTEE_SERVER-5.5.0.jar","isInstalled":true},{"csdName":"KMS-5.5.0","serviceType":"KMS","source":"/usr/share/cmf/csd/KMS-5.5.0.jar","isInstalled":true},{"csdName":"SPARK-5.5.0","serviceType":"SPARK","source":"/usr/share/cmf/csd/SPARK-5.5.0.jar","isInstalled":true},{"csdName":"SPARK_ON_YARN-5.5.0","serviceType":"SPARK_ON_YARN","source":"/usr/share/cmf/csd/SPARK_ON_YARN-5.5.0.jar","isInstalled":true},{"csdName":"SPARK_ON_YARN53-5.5.0","serviceType":"SPARK_ON_YARN","source":"/usr/share/cmf/csd/SPARK_ON_YARN53-5.5.0.jar","isInstalled":true},{"csdName":"SPARK_ON_YARN54-5.5.0","serviceType":"SPARK_ON_YARN","source":"/usr/share/cmf/csd/SPARK_ON_YARN54-5.5.0.jar","isInstalled":true},{"csdName":"SQOOP_CLIENT-5.5.0","serviceType":"SQOOP_CLIENT","source":"/usr/share/cmf/csd/SQOOP_CLIENT-5.5.0.jar","isInstalled":true}],"placeholderHandlers":[],"invalidCsds":{},"repoEnabled":true}}

avatar
Looks like Key Trustee KMS is installed correctly. How about your license?

avatar
Contributor

We are licenced for 5.4.3 KTS which worked with KMS 5.4.3.  Has the licensing changed?  Btw this cluster is using Trial Data Hub Licence, does that make a difference?

avatar
Hi Shailesh,

We don't permit the Key Trustee stuff in trial anymore for 5.5 since we didn't want people to see an option for which they can't install the bits. Key Trustee Server bits aren't publicly available.

You seem to be in a special situation where you actually do have a license to use Key Trustee Server, but your CM doesn't have an enterprise license installed. Please work with your account team to get this license for CM, which should be included with any Cloudera subscription.

Thanks,
Darren