Note: Below steps are useful for Ranger installed with version 0.5.0 using Ambari
For any setup/execution of Ranger KMS related to HSM please check “java.security” file for inclusion of “LunaProvider” in provider list as well as property “createExtractableKeys” to true for Luna AS MENTIONED IN STEP 1.12. Also we need a seprate partition for each KMS cluster |
Extract the Ranger KMS tar
Install Ranger-kms with appropriate property values
Go to ranger-kms folder and edit install.properties (Enter appropriate values for the below given properties)
db_root_user= db_root_password= db_host= db_name= db_user= db_password= HSM_TYPE=LunaProvider HSM_ENABLED= HSM_PARTITION_NAME= HSM_PARTITION_PASSWORD= KMS_MASTER_KEY_PASSWD= POLICY_MGR_URL= REPOSITORY_NAME= XAAUDIT.DB.IS_ENABLED= XAAUDIT.DB.FLAVOUR= XAAUDIT.DB.HOSTNAME= XAAUDIT.DB.DATABASE_NAME= XAAUDIT.DB.USER_NAME= XAAUDIT.DB.PASSWORD= |
Edit “hdfs-site.xml”
Go to path : /usr/hdp/<version>/hadoop/conf/
vim hdfs-site.xml
For property “dfs.encryption.key.provider.uri” ,enter the value “kms://http@<ranger_kms host name>:9292/kms”
Edit “core-site.xml”:
Perform following steps:
Go to path: /usr/hdp/<version>/hadoop/conf/
vim core-site.xml
For property “hadoop.security.key.provider.path” ,enter the value “kms://http@<ranger_kms host name>:9292/kms”
Restart Namenode :
su -l hdfs -c "/usr/hdp/<version>/hadoop/sbin/hadoop-daemon.sh stop namenode" su -l hdfs -c "/usr/hdp/<version>/hadoop/sbin/hadoop-daemon.sh start namenode" |
Run the setup by command : ./setup.sh
Start the KMS server by command: ranger-kms start
Two Approach are possible
Add Ranger KMS Service
Add Ranger KMS Service
While configuring add the HSM related properties in “custom dbks-site” accordion.
ranger.ks.hsm.enabled=true
ranger.ks.hsm.partition.name=<Partition Name>
ranger.ks.hsm.partition.password=_
ranger.ks.hsm.partition.password.alias=ranger.kms.hsm.partition.password
ranger.ks.hsm.type=LunaProvider
Click on Next and follow the instructions to install Ranger KMS. (Note Ranger KMS will not start it will fail to start)
Execute below command on cluster where Ranger KMS is installed.
python /usr/hdp/current/ranger-kms/ranger_credential_helper.py -l "/usr/hdp/current/ranger-kms/cred/lib/*" -f /etc/ranger/kms/rangerkms.jceks -k ranger.kms.hsm.partition.password -v <Partition_Password> -c 1 |
Restart the KMS from Ambari
For this section you need at least two Luna SA appliances with PED Authentication, or two with Password Authentication. |
Set up Appliances for HA
Register Clients with Luna SA HA
Create the HA Group
Note: Please follow the appropriate steps to form HSM HA according to your client version.Client software for HSM Version 6 :
Client software for HSM Version 5 :
After creating partitions on (at least) two Luna appliances, and setting up NTLS between those partitions and your client, use LunaCM to configure HA on your client.