Integrating Apache Ranger KMS with the CipherTrust Manager
To integrate Apache Ranger KMS with the CipherTrust Manager:
Create a user in the CipherTrust Manager. For more details, refer to the Administrator Guide of CipherTrust KMS.
Created user is used as sample to create Ranger key.
Configure TLS in the CipherTrust Manager. For more details, refer to the Administrator Guide of CipherTrust KMS.
Go to the client machine from which you want to create the RangerKMS key.
Download the build and run the following command:
tar -xvf Ingrian_pkcs11-8.9.0.000.tar
Execute the following command to navigate to the lib folder:
cd Ingrian_pkcs11-8.9.0.000/lib
Execute the following command to copy libIngPKCS11.so-8.9.0.000 to tmp location:
cp libIngPKCS11.so-8.9.0.000 /tmp/libIngPKCS11.so
Place the sunpkcs11.cfg file in any folder with libIngPKCS11.so path inside it with the following configurations:
name = CipherTrust Manager library = /tmp/libIngPKCS11.so description = Integration slotListIndex = 1 attributes(*,*,*) = { CKA_TOKEN = true } attributes(*,CKO_SECRET_KEY,*) = { CKA_CLASS=4 CKA_SENSITIVE=false CKA_ENCRYPT= true CKA_DECRYPT= true } attributes(*,CKO_PRIVATE_KEY,*) = { CKA_TOKEN = true CKA_CLASS=3 CKA_DERIVE = true CKA_PRIVATE = true CKA_DECRYPT=true CKA_SIGN=true CKA_UNWRAP=true } attributes(*,CKO_PUBLIC_KEY,*) = { CKA_CLASS=2 CKA_ENCRYPT = true CKA_VERIFY= true CKA_WRAP=true }
You need to update the SunPKCS11.cfg path in RangerHSM.java provided by Thales.
Go to the following location where Apache Ranger AES java files are present.
cd /root/workspace1/Horton/bin
Compile all class files to the bin location.
javac -d ../bin -classpath ".:/root/workspace1/apache-logging-log4j.jar:/root/workspace1/xml-security-impl-1.0.jar" RangerKMSMKI.java RangerHSM.java Horton.java Configuration.java
To compile the class files (RangerHSM.java, Horton.java, Configurations.java, and RangerKMSMKI.java) provided by Thales, you need the following jar files:
• apache-logging-log4j
• xmlsec-2.0Run class file to generate AES key and RangerKMS key at the CipherTrust Manager.
java -classpath ".:/root/workspace1/apache-logging-log4j.jar:/root/workspace1/xml-security-impl-1.0.jar" Horton
After successful code execution, both the keys are created in the CipherTrust Manager.