Support Questions

Find answers, ask questions, and share your expertise

CDH 5.5 KeyTrustee KMS 5.5 No Longer on Add Service List

Contributor

Just upgraded one of our Lab's Clusters to CDH 5.5 and it failed on the starting KMS 5.4.3 against KTS 5.4.3 which stopped the upgrade.  So I removed KMS and started the upgrade again.  This went through cleanly.  I noticed that there is a KEYTRUSTEE 5.5, so I downloaded and activated.  But I cannot add it as a Service as it does not appear on the Add Service list.  The Java Keystore KMS still appears.

1 ACCEPTED SOLUTION

Hi Shailesh,

We don't permit the Key Trustee stuff in trial anymore for 5.5 since we didn't want people to see an option for which they can't install the bits. Key Trustee Server bits aren't publicly available.

You seem to be in a special situation where you actually do have a license to use Key Trustee Server, but your CM doesn't have an enterprise license installed. Please work with your account team to get this license for CM, which should be included with any Cloudera subscription.

Thanks,
Darren

View solution in original post

9 REPLIES 9

Hi Shailesh,

Are you logged in as a user with role "Cluster Administrator"?

In CM5.5, we restrict access to all HDFS encryption configuration features including adding KMS (either kind) to the newly created "Key Administrator" role. Full admins will also have access (since they can access everything). Cluster admins will not. This change was made to meet security requirements / best practices around "separation of duties".

There's also a new wizard to enable HDFS Encryption, which I highly suggest using. Please find documentation here:
http://www.cloudera.com/content/www/en-us/documentation/enterprise/latest/topics/sg_hdfs_encryption_...

Thanks,
Darren

Contributor

I am using the Full Administrator admin which was created when the cluster was initially created.  Just checked the Role and it says Full Administrator.  I'll take a look at the new HDFS Data Encryption wizard as well.

Contributor

I also created a new account with Full Administrator and Key Administrator privileges.  None of these display the KEYTRUSTEE KMS Service.  Also tried the wizard and it does not allow the selection of Cloudera Navigator Key Trustee Server radio button.  Any ideas?

That's unexpected then. I see it on our 5.5 clusters in the Add Service Wizard options for a full admin user.

Can you check this endpoint and see if you have a Key Trustee KMS CSD installed:
<host>:7180/cmf/csd/list

You should see an entry in the JSON under "availableCsds" saying:
"csdName": "KEYTRUSTEE-5.5.0"

The only other entry with "KEYTRUSTEE" in the name should be "KEYTRUSTEE_SERVER-5.5.0".

If you've got an extra copy of the CSD lying around, you should remove it (it's probably in /opt/cloudera/csds on the CM server host) and restart CM.

To be extra safe, you may want to back up anything in /var/lib/ that has "keytrustee" or "kms" in it, just to ensure you don't lose your Key Trustee KMS encryption keys, which would cause you to lose all of your encrypted data.

Thanks,
Darren

Forgot to mention, you also need a license to use any of the Key Trustee stuff. What license do you have?

Java Keystore KMS does not require any license.

Contributor

This is what came back from the URI stem:

 

{"message":"OK","data":{"externalRootPath":"/opt/cloudera/csd","internalRootPath":"/usr/share/cmf/csd","availableCsds":[{"csdName":"ACCUMULO-5.5.0","serviceType":"ACCUMULO","source":"/usr/share/cmf/csd/ACCUMULO-5.5.0.jar","isInstalled":true},{"csdName":"ACCUMULO16-5.5.0","serviceType":"ACCUMULO16","source":"/usr/share/cmf/csd/ACCUMULO16-5.5.0.jar","isInstalled":true},{"csdName":"HIVE-5.5.0","serviceType":"HIVE","source":"/usr/share/cmf/csd/HIVE-5.5.0.jar","isInstalled":true},{"csdName":"HUE-5.5.0","serviceType":"HUE","source":"/usr/share/cmf/csd/HUE-5.5.0.jar","isInstalled":true},{"csdName":"ISILON-5.5.0","serviceType":"ISILON","source":"/usr/share/cmf/csd/ISILON-5.5.0.jar","isInstalled":true},{"csdName":"KAFKA-5.5.0","serviceType":"KAFKA","source":"/usr/share/cmf/csd/KAFKA-5.5.0.jar","isInstalled":true},{"csdName":"KEYTRUSTEE-5.5.0","serviceType":"KEYTRUSTEE","source":"/usr/share/cmf/csd/KEYTRUSTEE-5.5.0.jar","isInstalled":true},{"csdName":"KEYTRUSTEE_SERVER-5.5.0","serviceType":"KEYTRUSTEE_SERVER","source":"/usr/share/cmf/csd/KEYTRUSTEE_SERVER-5.5.0.jar","isInstalled":true},{"csdName":"KMS-5.5.0","serviceType":"KMS","source":"/usr/share/cmf/csd/KMS-5.5.0.jar","isInstalled":true},{"csdName":"SPARK-5.5.0","serviceType":"SPARK","source":"/usr/share/cmf/csd/SPARK-5.5.0.jar","isInstalled":true},{"csdName":"SPARK_ON_YARN-5.5.0","serviceType":"SPARK_ON_YARN","source":"/usr/share/cmf/csd/SPARK_ON_YARN-5.5.0.jar","isInstalled":true},{"csdName":"SPARK_ON_YARN53-5.5.0","serviceType":"SPARK_ON_YARN","source":"/usr/share/cmf/csd/SPARK_ON_YARN53-5.5.0.jar","isInstalled":true},{"csdName":"SPARK_ON_YARN54-5.5.0","serviceType":"SPARK_ON_YARN","source":"/usr/share/cmf/csd/SPARK_ON_YARN54-5.5.0.jar","isInstalled":true},{"csdName":"SQOOP_CLIENT-5.5.0","serviceType":"SQOOP_CLIENT","source":"/usr/share/cmf/csd/SQOOP_CLIENT-5.5.0.jar","isInstalled":true}],"placeholderHandlers":[],"invalidCsds":{},"repoEnabled":true}}

Looks like Key Trustee KMS is installed correctly. How about your license?

Contributor

We are licenced for 5.4.3 KTS which worked with KMS 5.4.3.  Has the licensing changed?  Btw this cluster is using Trial Data Hub Licence, does that make a difference?

Hi Shailesh,

We don't permit the Key Trustee stuff in trial anymore for 5.5 since we didn't want people to see an option for which they can't install the bits. Key Trustee Server bits aren't publicly available.

You seem to be in a special situation where you actually do have a license to use Key Trustee Server, but your CM doesn't have an enterprise license installed. Please work with your account team to get this license for CM, which should be included with any Cloudera subscription.

Thanks,
Darren
Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.