Setting-up KMIP—for Fresh Data Fabric Installation

You can integrate KMIP with Data Fabric in either of the ways that follow:

• Option 1 : Use the procedure in this page, to perform a manual Data Fabric installation and run the configure.sh script with the new HSM parameters for a fresh installation.
• Option 2 : Perform a regular (non-KMIP) installation in either of ways that follow:
  • Run the configure.sh script with the normal parameters. Or
  • Use the Graphical installer to perform a regular (non-KMIP) installation.

  Then, use the mrhsm Commands to import the CLDB and DARE keys. See Setting-up KMIP—for Existing Data Fabric Installation for details.

To enable the external key store (KMIP) feature, perform these steps:

1. Set up the external KMIP-enabled key management appliance for the HSM of your choice as described in the Utimaco ESKM Integration Guide, or the Gemalto SafeNet KeySecure Key Manager (now known as Thales CipherTrust Manager) Integration Guide, or the Vormetric Data Security Manager (DSM) Integration Guide, or the HashiCorp Vault Integration Guide.

   At the end of this step, you should have the following on one of your Data Fabric cluster hosts that is running the CLDB:

   • Private client key
   • Signed client certificate in PEM format
   • Signed CA certificate in PEM format
2. Complete the vendor-specific HSM configuration (this can also be done before step 1). For more information, see Integration Guides.
3. Prepare the /opt/mapr/server/configure.sh command that you will run as part of Enabling Security on a New Cluster Installation. To enable the external key store, the command needs to include certain -hsm parameters. For more information about these parameters, see the "HSM Parameters" section in configure.sh. For an example, see Example of configure.sh Command for Secure Cluster with DARE and KMIP Enabled later on this page. For information about the SO PIN, specified with -hsmsopin, see About the SO PIN.

   The -hsm parameters you specify are passed to the configure.sh script, which sets up the file system to use the HSM and verify connectivity. Note that when it is used in this way, the configure.sh script acts as a front end to the various options in the mrhsm utility described in mrhsm Commands.

4. Perform the steps in the "Basic Procedure" for Enabling Security on a New Cluster Installation using the configure.sh command that you created in step 3.

   At the end of the configure.sh script, if the configuration is correct, the HSM should be up and running. To check the HSM status, use the mrhsm info command.

5. Copy the various keystore and truststore files to all nodes in the cluster, as described in Step 4 of Section: Enabling Security When All Nodes Are Non-FIPS, or Step 4 of Enabling Security When All Nodes Are FIPS as appropriate, in Enabling Security on a New Cluster Installation.
6. Proceed to Configuring Storage, and complete the remaining manual-installation steps.
7. Restart the cluster (at least All CLDBs nodes, all ZooKeeper nodes, and some of the data nodes), to ensure that the cluster comes up with the installed HSM configuration set.

The following example shows using /opt/mapr/server/configure.sh to enable security with data-at-rest-encryption (DARE) and HSM features enabled. Bold-face type indicates HSM options and messages:

/opt/mapr/server/configure.sh  -secure -genkeys -N test96.cluster.com -C perfnode96.lab:7222 
-Z perfnode96.lab:5181 -F disks.txt -dare -hsm -hsmip 10.10.30.129 -hsmlabel "SafeNet KeySecure" 
-hsmsopin 12345678 -hsmclientcert /root/safenet-keysecure/client.pem -hsmcacert /root/safenet-keysecure/CA.pem 
-hsmclientkey /root/safenet-keysecure/key.pem
create /opt/mapr/conf/conf.old
CLDB node list: perfnode96.lab:7222
Zookeeper node list: perfnode96.lab:5181
External Zookeeper node list: 
Node setup configuration:  cldb fileserver hadoop-util zookeeper
Log can be found at:  /opt/mapr/logs/configure.log
Initializing HSM with label SafeNet KeySecure
Generated random user PIN B$V5g%$2#%8Kc6SL
Obtained cluster name test96.cluster.com from mapr-clusters.conf
Enabling MapR HSM on cluster test96.cluster.com
Successfully generated Core KEK, UUID CF9FE63E85EF233B583972FB6265DB33067E8DBBB300297FF8F562DFCF7EA904
Successfully generated Common KEK, UUID 32A903E6D0DF67FDBCD953A33FC2547F50D35C18666E2A0A0B5CF749FBF84D6A
Successfully set encrypted CLDB key in KMIP configuration
Successfully set encrypted DARE key in KMIP configuration

##############################################################################
# NOTE: The DARE master key for data at rest encryption is protected by the  #
# HSM. All keys in the HSM, including the DARE master key, should be safely  #
# backed up. Without the DARE master key, cluster cannot be started and data #
# cannot be accessed.                                                        #
##############################################################################

Creating 100 year self signed certificate with subjectDN='CN=*.lab'
Configuring hadoop-util
/dev/sdb added.
/dev/sdc added.
/dev/sdd added.
Zookeeper found on this node, and it is not running. Starting Zookeeper
Warden is not running. Starting mapr-warden. Warden will then start all other configured services on this node
... Starting cldb
... Starting fileserver
... Starting hadoop-util
To further manage the system, use "maprcli", or connect browser to https://{webserver host name}:8443/
To stop and start this node, use "systemctl start/stop mapr-warden "
No need to set label returning from SetDiskLabel