Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Do we need Cloudera Navigator to Install KMS and KTS?

Solved Go to solution

Do we need Cloudera Navigator to Install KMS and KTS?

Explorer

We are planning to install KMS and KTS but do we need Cloudera Navigator to Install KMS and KTS? if not required, then how to install it without Cloudera Navigator?

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted

Re: Do we need Cloudera Navigator to Install KMS and KTS?

Expert Contributor

@Mondi 

 

KMS service should be installed on your CDH cluster. Before installing KMS, you should have a dedicated cluster added using the Cloudera manager Add Cluster option which has the KTS service roles installed.

 

If you are installing default Hadoop KMS Java Keystore KMS, the above can be ignored since the default Hadoop KMS included in CDH uses a file-based Java KeyStore (JKS) for its backing keystore. You can simply add the service from Cloudera Manager. 

Cloudera strongly recommends that you enable TLS for both the HDFS and the Key Trustee KMS services to prevent the passage of plain text key material between the KMS and HDFS data nodes.

 

Refer below document 

https://docs.cloudera.com/documentation/enterprise/latest/topics/sg_hdfs_encryption_wizard.html#conc...

 

Hope this helps,
Paras
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

View solution in original post

Highlighted

Re: Do we need Cloudera Navigator to Install KMS and KTS?

Expert Contributor

@Mondi 

 

It is not compulsory to enable SSL but recommended to prevent the passage of plain text key material between the KMS and HDFS data nodes.

You can continue to install Java Keystore KMS without adding SSL configurations.

 

Hope this helps,
Paras
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

View solution in original post

7 REPLIES 7
Highlighted

Re: Do we need Cloudera Navigator to Install KMS and KTS?

Expert Contributor

@Mondi 

 

You do not need to install Cloudera Navigator for KMS and KTS.

Refer : https://docs.cloudera.com/documentation/enterprise/6/6.3/topics/encryption_prereqs.html#concept_g23_...

 

Please refer below documents for encrypting data at rest requirement and installing KMS and KTS. You must install Key Trustee Server before installing and using Key Trustee KMS.

 

https://docs.cloudera.com/documentation/enterprise/6/6.3/topics/encryption_planning.html#concept_c4m...

https://docs.cloudera.com/documentation/enterprise/6/6.3/topics/key_trustee_install.html#xd_583c10bf...

https://docs.cloudera.com/documentation/enterprise/6/6.3/topics/cm_ig_install_keytrustee.html#xd_583...

 

Hope this helps,
Paras
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Highlighted

Re: Do we need Cloudera Navigator to Install KMS and KTS?

Explorer

Hi @paras , do I need to install this first? how can I know if I have already installed key trustee server?

 

Screen Shot 2020-08-10 at 9.38.15 AM.png

Highlighted

Re: Do we need Cloudera Navigator to Install KMS and KTS?

Expert Contributor

@Mondi 

 

Cloudera provides two implementations of the Hadoop KMS. Refer below document for more details.

https://docs.cloudera.com/documentation/enterprise/latest/topics/cdh_sg_kms.html

You need to install Key Trustee KMS only when using KTS as backing keystore instead of the file-based Java KeyStore (JKS) used by the default Hadoop KMS.

 

There should be a separate cluster for keytrustee server. This would be mentioned as one of the steps when you enable HDFS encryption via the wizard.

 

Refer below document

https://docs.cloudera.com/documentation/enterprise/6/6.3/topics/sg_hdfs_encryption_wizard.html#conce...

 

Hope this helps,
Paras
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Highlighted

Re: Do we need Cloudera Navigator to Install KMS and KTS?

Explorer

Hi @paras 

 

thanks for replying. if my understanding is correct, you mean that my KMS or KTS server must be in a different cluster? the server must no be registered on the same cluster?

Also do we need SSL for the KMS? we are planning to install the default Hadoop KMS Java Keystore KMS.

Highlighted

Re: Do we need Cloudera Navigator to Install KMS and KTS?

Expert Contributor

@Mondi 

 

KMS service should be installed on your CDH cluster. Before installing KMS, you should have a dedicated cluster added using the Cloudera manager Add Cluster option which has the KTS service roles installed.

 

If you are installing default Hadoop KMS Java Keystore KMS, the above can be ignored since the default Hadoop KMS included in CDH uses a file-based Java KeyStore (JKS) for its backing keystore. You can simply add the service from Cloudera Manager. 

Cloudera strongly recommends that you enable TLS for both the HDFS and the Key Trustee KMS services to prevent the passage of plain text key material between the KMS and HDFS data nodes.

 

Refer below document 

https://docs.cloudera.com/documentation/enterprise/latest/topics/sg_hdfs_encryption_wizard.html#conc...

 

Hope this helps,
Paras
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

View solution in original post

Highlighted

Re: Do we need Cloudera Navigator to Install KMS and KTS?

Explorer

Thanks for your answer. @paras one more thing, Java Keystore KMS requires SSL? can I do encryption without an SSL using Java Keystore KMS?

Highlighted

Re: Do we need Cloudera Navigator to Install KMS and KTS?

Expert Contributor

@Mondi 

 

It is not compulsory to enable SSL but recommended to prevent the passage of plain text key material between the KMS and HDFS data nodes.

You can continue to install Java Keystore KMS without adding SSL configurations.

 

Hope this helps,
Paras
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

View solution in original post

Don't have an account?
Coming from Hortonworks? Activate your account here