Enabling the External Key Store (KMIP) Feature

Enabling an external key store requires performing certain steps after installing data-fabric packages but before running configure.sh.

This page describes how to enable an external key store in the context of a manual installation of the HPE Ezmeral Data Fabric. If you do not need to enable an external key store, you may ignore this topic and proceed to Enabling Security.

Steps for Enabling an External Key Store

To enable the external key store (KMIP) feature, perform these steps:
  1. Make sure that you have performed the following manual-installation steps:
  2. Complete the vendor-specific HSM configuration (this can also be done before step 1). For more information, see Integration Guides.
  3. Prepare the /opt/mapr/server/configure.sh command that you will run as part of Enabling Security. To enable the external key store, the command needs to include certain -hsm parameters. For more information about these parameters, see the "HSM Parameters" section in configure.sh. For an example, see Example of configure.sh Command for Secure Cluster with DARE and KMIP Enabled later on this page.

    The -hsm parameters you specify are passed to the configure.sh script, which sets up the filesystem to use the HSM and verify connectivity. Note that when it is used in this way, the configure.sh script acts as a front end to the various options in the mrhsm utility described in mrhsm Commands.

  4. Perform the steps in the "Basic Procedure" for Enabling Security using the configure.sh command that you created in step 3.

    At the end of the configure.sh script, if the configuration is correct, the HSM should be up and running. To check the HSM status, use the mrhsm info command.

  5. In addition to copying various keystore and truststore files to all nodes in the cluster, as described in Enabling Security, for KMIP you must copy the contents of the ${MAPR_HOME}/conf/tokens directory to all CLDB and ZooKeeper nodes in the cluster. Ensure that all the files in the ${MAPR_HOME}/conf/tokens directory are owned by the mapr user and mapr group.
  6. Proceed to Configuring Storage, and complete the remaining manual-installation steps.

Example of configure.sh Command for Secure Cluster with DARE and KMIP Enabled

The following example shows using /opt/mapr/server/configure.sh to enable security with data-at-rest-encryption (DARE) and HSM features enabled. Bold-face type indicates HSM options and messages: 
/opt/mapr/server/configure.sh  -secure -genkeys -N test96.cluster.com -C perfnode96.lab:7222 
-Z perfnode96.lab:5181 -F disks.txt -dare -hsm -hsmip 10.10.30.129 -hsmlabel "SafeNet KeySecure" 
-hsmsopin 12345678 -hsmclientcert /root/safenet-keysecure/client.pem -hsmcacert /root/safenet-keysecure/CA.pem 
-hsmclientkey /root/safenet-keysecure/key.pem
create /opt/mapr/conf/conf.old
CLDB node list: perfnode96.lab:7222
Zookeeper node list: perfnode96.lab:5181
External Zookeeper node list: 
Node setup configuration:  cldb fileserver hadoop-util zookeeper
Log can be found at:  /opt/mapr/logs/configure.log
Initializing HSM with label SafeNet KeySecure
Generated random user PIN B$V5g%$2#%8Kc6SL
Obtained cluster name test96.cluster.com from mapr-clusters.conf
Enabling MapR HSM on cluster test96.cluster.com
Successfully generated Core KEK, UUID CF9FE63E85EF233B583972FB6265DB33067E8DBBB300297FF8F562DFCF7EA904
Successfully generated Common KEK, UUID 32A903E6D0DF67FDBCD953A33FC2547F50D35C18666E2A0A0B5CF749FBF84D6A
Successfully set encrypted CLDB key in KMIP configuration
Successfully set encrypted DARE key in KMIP configuration

##############################################################################
# NOTE: The DARE master key for data at rest encryption is protected by the  #
# HSM. All keys in the HSM, including the DARE master key, should be safely  #
# backed up. Without the DARE master key, cluster cannot be started and data #
# cannot be accessed.                                                        #
##############################################################################

Creating 100 year self signed certificate with subjectDN='CN=*.lab'
Configuring hadoop-util
/dev/sdb added.
/dev/sdc added.
/dev/sdd added.
Zookeeper found on this node, and it is not running. Starting Zookeeper
Warden is not running. Starting mapr-warden. Warden will then start all other configured services on this node
... Starting cldb
... Starting fileserver
... Starting hadoop-util
To further manage the system, use "maprcli", or connect browser to https://{webserver host name}:8443/
To stop and start this node, use "systemctl start/stop mapr-warden "
No need to set label returning from SetDiskLabel