Support Questions

Find answers, ask questions, and share your expertise

Do we need Cloudera Navigator to Install KMS and KTS?

avatar
Rising Star

We are planning to install KMS and KTS but do we need Cloudera Navigator to Install KMS and KTS? if not required, then how to install it without Cloudera Navigator?

2 ACCEPTED SOLUTIONS

avatar
Master Collaborator

@Mondi 

 

KMS service should be installed on your CDH cluster. Before installing KMS, you should have a dedicated cluster added using the Cloudera manager Add Cluster option which has the KTS service roles installed.

 

If you are installing default Hadoop KMS Java Keystore KMS, the above can be ignored since the default Hadoop KMS included in CDH uses a file-based Java KeyStore (JKS) for its backing keystore. You can simply add the service from Cloudera Manager. 

Cloudera strongly recommends that you enable TLS for both the HDFS and the Key Trustee KMS services to prevent the passage of plain text key material between the KMS and HDFS data nodes.

 

Refer below document 

https://docs.cloudera.com/documentation/enterprise/latest/topics/sg_hdfs_encryption_wizard.html#conc...

 

Hope this helps,
Paras
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

View solution in original post

avatar
Master Collaborator

@Mondi 

 

It is not compulsory to enable SSL but recommended to prevent the passage of plain text key material between the KMS and HDFS data nodes.

You can continue to install Java Keystore KMS without adding SSL configurations.

 

Hope this helps,
Paras
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

View solution in original post

7 REPLIES 7

avatar
Master Collaborator

@Mondi 

 

You do not need to install Cloudera Navigator for KMS and KTS.

Refer : https://docs.cloudera.com/documentation/enterprise/6/6.3/topics/encryption_prereqs.html#concept_g23_...

 

Please refer below documents for encrypting data at rest requirement and installing KMS and KTS. You must install Key Trustee Server before installing and using Key Trustee KMS.

 

https://docs.cloudera.com/documentation/enterprise/6/6.3/topics/encryption_planning.html#concept_c4m...

https://docs.cloudera.com/documentation/enterprise/6/6.3/topics/key_trustee_install.html#xd_583c10bf...

https://docs.cloudera.com/documentation/enterprise/6/6.3/topics/cm_ig_install_keytrustee.html#xd_583...

 

Hope this helps,
Paras
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

avatar
Rising Star

Hi @paras , do I need to install this first? how can I know if I have already installed key trustee server?

 

Screen Shot 2020-08-10 at 9.38.15 AM.png

avatar
Master Collaborator

@Mondi 

 

Cloudera provides two implementations of the Hadoop KMS. Refer below document for more details.

https://docs.cloudera.com/documentation/enterprise/latest/topics/cdh_sg_kms.html

You need to install Key Trustee KMS only when using KTS as backing keystore instead of the file-based Java KeyStore (JKS) used by the default Hadoop KMS.

 

There should be a separate cluster for keytrustee server. This would be mentioned as one of the steps when you enable HDFS encryption via the wizard.

 

Refer below document

https://docs.cloudera.com/documentation/enterprise/6/6.3/topics/sg_hdfs_encryption_wizard.html#conce...

 

Hope this helps,
Paras
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

avatar
Rising Star

Hi @paras 

 

thanks for replying. if my understanding is correct, you mean that my KMS or KTS server must be in a different cluster? the server must no be registered on the same cluster?

Also do we need SSL for the KMS? we are planning to install the default Hadoop KMS Java Keystore KMS.

avatar
Master Collaborator

@Mondi 

 

KMS service should be installed on your CDH cluster. Before installing KMS, you should have a dedicated cluster added using the Cloudera manager Add Cluster option which has the KTS service roles installed.

 

If you are installing default Hadoop KMS Java Keystore KMS, the above can be ignored since the default Hadoop KMS included in CDH uses a file-based Java KeyStore (JKS) for its backing keystore. You can simply add the service from Cloudera Manager. 

Cloudera strongly recommends that you enable TLS for both the HDFS and the Key Trustee KMS services to prevent the passage of plain text key material between the KMS and HDFS data nodes.

 

Refer below document 

https://docs.cloudera.com/documentation/enterprise/latest/topics/sg_hdfs_encryption_wizard.html#conc...

 

Hope this helps,
Paras
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

avatar
Rising Star

Thanks for your answer. @paras one more thing, Java Keystore KMS requires SSL? can I do encryption without an SSL using Java Keystore KMS?

avatar
Master Collaborator

@Mondi 

 

It is not compulsory to enable SSL but recommended to prevent the passage of plain text key material between the KMS and HDFS data nodes.

You can continue to install Java Keystore KMS without adding SSL configurations.

 

Hope this helps,
Paras
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.