Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

KMS throws exceptions

Solved Go to solution

KMS throws exceptions

New Contributor

Hi,

My cluster is kerbeorized with KMS. When I execute the following command I am getting the below error. Could anyone help me on this asap.

curl --negotiate -u : -X GET http://<clustername>:9292/kms/v1/keyversion/<keyname@0/_eek?ee_op=decrypt

{ "RemoteException" : { "message" : null, "exception" : "WebApplicationException", "javaClassName" : "javax.ws.rs.WebApplicationException" }

In the kms-audit.log I see the following error "ErrorMsg:'Authentication required' saying that Authentication required.

I specified --negotiate option and -u option as well.

But the below command is working

curl --negotiate -u : -X GET http://<clustername>:9292/kms/v1/keyversion/<keyname@0

{ "name" : "<keyname", "versionName" : "<keyname>@0", "material" : "<some value>" }

The user with which the command is being executed has the valid Kerberos ticket and decrypt permissions also set with Ranger kms web ui

1 ACCEPTED SOLUTION

Accepted Solutions

Re: KMS throws exceptions

Guru

Hello @mravipati,

In order to decrypt an EEK, first you'll need to generate one. Here's what is working for me:

1. Generate EEK

# curl --negotiate -u : -iv -X GET  "http://<kms-host-fqdn>:9292/kms/v1/key/hr1-ez-key/_eek?eek_op=generate&num_keys=1"

2. Store the EEK data into a json:

# cat eek.json
{
  "name" : "hr1-ez-key",
  "iv" : "38Eb8nTxxxxxUG7Rc6_wrA",
  "material" : "K8Q0bv8Hxxxxxxn9ByVnT-xxx-Bmwxxxxxy1buCk"
}

3. Call decrypt EEK while passing above EEK data:

# curl --negotiate -u : -iv -X POST -H "Content-Type: application/json" -d @./eek.json  "http://<kms-host-fqdn>:9292/kms/v1/keyversion/hr1-ez-key@0/_eek?eek_op=decrypt"

Please note the change in REST URL and keyname while making decrypt request.

The error you are getting is because you are trying to do a GET request on a URL which is expecting a POST request.

Hope this helps!

1 REPLY 1

Re: KMS throws exceptions

Guru

Hello @mravipati,

In order to decrypt an EEK, first you'll need to generate one. Here's what is working for me:

1. Generate EEK

# curl --negotiate -u : -iv -X GET  "http://<kms-host-fqdn>:9292/kms/v1/key/hr1-ez-key/_eek?eek_op=generate&num_keys=1"

2. Store the EEK data into a json:

# cat eek.json
{
  "name" : "hr1-ez-key",
  "iv" : "38Eb8nTxxxxxUG7Rc6_wrA",
  "material" : "K8Q0bv8Hxxxxxxn9ByVnT-xxx-Bmwxxxxxy1buCk"
}

3. Call decrypt EEK while passing above EEK data:

# curl --negotiate -u : -iv -X POST -H "Content-Type: application/json" -d @./eek.json  "http://<kms-host-fqdn>:9292/kms/v1/keyversion/hr1-ez-key@0/_eek?eek_op=decrypt"

Please note the change in REST URL and keyname while making decrypt request.

The error you are getting is because you are trying to do a GET request on a URL which is expecting a POST request.

Hope this helps!