Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Guides

Hortonworks Data Platform

search

Hortonworks Data Platform

This guide outlines step-by-step instructions for seamlessly integrating Hortonworks Data Platform with a Luna HSM device or Luna Cloud HSM service. Hortonworks Data Platform offers several key benefits for organizations, including robust data management, scalability, and real-time analytics capabilities. It enables businesses to efficiently store, process, and analyze vast amounts of data, fostering data-driven decision-making and insights that drive innovation and competitiveness.

The key benefits of this integration are:

  • Secure generation, storage, and protection of the identity signing private keys using either FIPS 140-2 or FIPS 140-3 Level 3 validated hardware.

  • Full life cycle management of the keys to ensure their integrity and reliability throughout their usage.

  • Maintenance of a comprehensive HSM audit trail for transparency and accountability in key operations. It's important to note that Luna Cloud HSM service does not have access to this secure audit trail.

  • Significant performance enhancements by offloading cryptographic operations from application servers.


Supported Platforms

This integration has been tested and verified on the following platforms:

HSM Type Platform Tested
Luna HSM RHEL 7
Luna Cloud HSM RHEL 7

We've thoroughly tested this integration to ensure it works seamlessly in both high availability (HA) and FIPS mode. However, it's important to note that the Luna HSM firmware version 7.7.0 does not support FIPS mode.


Prerequisites

The prerequisites for this integration are:

Set up Luna HSM

Set up Hortonworks Data Platform

Set up Luna HSM

As the first step to accomplish this integration, you need to set up either On-Premise Luna HSM or Luna Cloud HSM.

Set up On-Premise Luna HSM

Follow these steps to set up your on-premise Luna HSM:

Ensure that the HSM is set up, initialized, provisioned, and ready for deployment. For more information, refer to Luna HSM documentation.

Create a partition that will be later used by Hortonworks.

Create and exchange certificate between the Luna Network HSM and client system. Register client and assign partition to create an NTLS connection.

Initialize Crypto Officer and Crypto User roles for the registered partition.

Run the following command to verify that the partition has been successfully registered and configured: 

/usr/safenet/lunaclient/bin/lunacm

Upon successful execution, you should observe an output similar to the example provided below:

lunacm.exe (64-bit) v10.3.0-275. Copyright (c) 2020 SafeNet. All rights reserved.
Available HSMs:
Slot Id ->                           0
Label ->                             Hortonworks
Serial Number ->                     1238696044952
Model ->                             LunaSA 7.4.0
Firmware Version ->                  7.4.0
Configuration ->                     Luna User Partition With SO (PW) Key Export With Cloning Mode
Slot Description ->                  Net Token Slot
FW HW Status ->                      Non-FM

Enable partition policies 22 and 23 to allow activation and auto-activation, in case you are using PED-authenticated HSMs.

Refer to Luna HSM documentation for detailed steps on creating NTLS connection, initializing the partitions, and assigning various user roles.

Managing User Access to Your HSM

Initially, only the root user can access the Hardware Security Module (HSM). However, you can grant access to specific non-root users by including them in the hsmusers group. This group is automatically created when you install the client software. Even if you later uninstall the client software, the hsmusers group remains intact, ensuring you can upgrade your software without losing your user access settings.

To add users to the hsmusers group

If you wish to permit non-root users or applications to interact with the HSM device, you must assign these users to the hsmusers group. Make sure that the users you intend to add to the hsmusers group are already established on the client workstation. Only users added to the hsmusers group will be granted access to the HSM device. Follow these steps to add a user to the hsmusers group:

Ensure that you possess sudo privileges on the client workstation.

Add a user to the hsmusers group using the command:

sudo gpasswd --add  hsmusers

Replace username with the actual username you want to include in the hsmusers group.

To remove users from the hsmusers group

If you need to withdraw a user's authorization to access the HSM device, you can remove them from the hsmusers group. Carry out the following steps to remove a user from the hsmusers group:

Confirm that you hold sudo privileges on the client workstation.

Eliminate a user from the hsmusers group using the command:

sudo gpasswd --add  hsmusers

Replace username with the specific username you want to exclude from the hsmusers group. To observe the changes, you will need to log in again.

Any user you remove will retain access to the HSM device until the client workstation is rebooted.

Set up Luna HSM High-Availability Group

Refer to Luna HSM documentation for HA steps and details regarding configuring and setting up two or more HSM boxes on host systems. You must enable the HAOnly setting in HA for failover to work so that if the primary goes down due to any reason, all calls get automatically routed to the secondary until the primary recovers and starts up.


Set up Luna Cloud HSM

Follow these steps to set up your Luna Cloud HSM:

Transfer the downloaded .zip file to your client workstation using pscp, scp, or other secure means

This integration has been certified on the RHEL platform.

Extract the .zip file into a directory on your client workstation.

Extract or untar the appropriate client package for your operating system. Do not extract to a new subdirectory; place the files in the client install directory.

tar -xvf cvclient-min.tar

Run the setenv script to create a new configuration file containing information required by the Luna Cloud HSM service.

source ./setenv

To add the configuration to an already installed UC client, use the –addcloudhsm option when running the setenv script.

Run the LunaCM utility and verify that the Cloud HSM service is listed.

If your organization requires non-FIPS algorithms for your operations, ensure that the Allow non-FIPS approved algorithms check box is checked. For more information, refer to Supported Mechanisms.

Set up Hortonworks Data Platform

Follow these steps to set up Hortonworks Data Platform for integration with Luna HSM or Luna Cloud HSM service:

Configure Hostname: Set the hostname of your client machine to master.hadoop.com using the following command:

hostnamectl set-hostname master.hadoop.com

Install HDP: For detailed installation instructions, please refer to the HDP Command Line Installation documentation.

Install Apache Ambari: You can find detailed installation instructions for Apache Ambari in the Apache Ambari Installation documentation.

Install HDFS and Ranger: Ranger Key Management Service (KMS) relies on HDFS and Ranger. Use Apache Ambari to install HDFS and Ranger on your system. Detailed installation procedures can be found in the HDFS Data at Rest Encryption documentation and Ranger Using Ambari documentation.

Luna Cloud HSM Service Settings: If you are using Luna Cloud HSM service, add the following setting to the ./bash_profile of the KMS user:

export ChrystokiConfigurationPath=[DPOD client directory]

Be sure to specify the appropriate [DPOD client directory], as required.

Configuring Hortonworks Data Platform with Luna HSM

Follow these steps to configure Luna HSM or Luna Cloud HSM with the Ranger Key Management Service:

Configure java.security file

Configure Ranger KMS

Configure java.security file

To configure java.security file, follow these steps:

Modify the Java Security Configuration: Locate and open the java.security file in the [JDK_installation_directory]/jre/lib/security directory and add the following lines to the file:

security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign
security.provider.3=com.sun.net.ssl.internal.ssl.Provider
security.provider.4=com.sun.crypto.provider.SunJCE
security.provider.5=sun.security.jgss.SunProvider
security.provider.6=com.sun.security.sasl.Provider
security.provider.7=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.8=sun.security.smartcardio.SunPCSC
security.provider.9=com.safenetinc.luna.provider.LunaProvider

Save the changes to the java.security file.

Enable Secret Key Extraction: In the same java.security file, add the following line:

com.safenetinc.luna.provider.createExtractableKeys=true

Save the changes to the java.security file.

Copy Luna HSM Files: Copy the libLunaAPI.so and LunaProvider.jar from the [Luna_installation_directory]/jsp/lib directory to the Java extension directory located under [JDK_installation_directory]/jre/lib/ext.

Configure Ranger KMS

To configure Ranger KMS, follow these steps:

Log in as an admin on the Ambari Web UI using the URL http://[IP-Address]:8080.

Navigate to the Services section and click Add Service. This action will open the Add Service wizard.

From the list of available services, choose Ranger KMS and click Next.

Choose the host where you want Ranger KMS to operate and proceed by clicking Next.

In the Customize Services section, configure the necessary settings (highlighted in red).

Select MYSQL as the Ranger KMS DB Flavor.

Indicate the hostname of the machine (e.g., master.hadoop.com) under Ranger KMS DB Host.

Specify the location of the mysql-connector-java.jar for the SQL connector jar.

Enter the Ranger KMS DB name, Ranger KMS DB username, and Ranger KMS DB password.

Toggle the options for Setup Database and Database User to Yes.

In the Ranger KMS Root DB section, provide the root password of the database in the Database Administrator (DBA) password field.

Click Test Connection. A successful connection will be indicated by Connection OK.

Define and confirm the KMS master key password.

In the KMS-HSM section, switch HSM Enabled to Yes.

Under Configuration Settings, specify the particulars of the Luna HSM or Luna Cloud HSM service.

From the HSM Type drop-down menu, select Luna Provider.

Provide the HSM partition name and password as required.

Click Next to move forward.

In the Review pane, double-check all settings, and then click Deploy. Monitor the installation, startup, and testing of the service.

Once the service successfully installs and starts, click Next. The Summary screen will display the results. Select Complete.

Restart the HDFS, Ranger, and Ranger KMS services. The master key will be generated in the HSM partition. You can verify the key's existence by inspecting the partition contents in lunacm.

This marks the completion of the integration of Hortonworks Data Platform with Luna HSM or Luna Cloud HSM service.

On this page