How to Enable HDFS Transparent Encryption with Key Trustee Servers Set Up on the BDA on Oracle Big Data Appliance V4.5 and Higher with bdacli
(Doc ID 2166648.1)
Last updated on FEBRUARY 07, 2023
Applies to:
Big Data Appliance Integrated Software - Version 4.5.0 and laterLinux x86-64
Purpose
The document details how to enable/disable HDFS Transparent Encryption with BDA-local Key Trustee Servers set up on the Oracle Big Data Appliance (BDA) V4.5.0 cluster using bdacli.
Scope
System administrators and ACS.
Details
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Purpose |
| Scope |
| Details |
| Introductions |
| Known Issues. |
| HDFS Transparent Encryption Frequently Asked Questions |
| Do Key Trustee Servers need to be set up in HA mode? Is there any concern setting up a Key Trustee Server in a non-HA mode i.e. only have one Active Key Trustee Server? |
| Can the Key Management Service(KMS) be directly started/stoppped using "bdacli enable hdfs_transparent_encryption"? |
| Does enabling HDFS Transparent Encryption have an option to install KMS services on an edge node? |
| "bdacli enable hdfs_transparent_encryption" will setup Key Trustee Servers on Nodes 1/2 of the BDA cluster, is there a performance impact to that? |
| Would there be less of a performance impact if Key Trustee Servers were manually installed on Nodes 3/4 of the BDA cluster? |
| Is it ok to manually install the Key Trustee Servers on Nodes 3/4 if that is preferred? |
| Are any manual installations of Key Trustee Servers managed by Mammoth? |
| What are the recommendations on backing up Key Trustee Servers? |
| Is it a good recommendation to place the Key Trustee Servers off the BDA? |
| Is it possible to implement BDR between two different BDA clusters where hdfs transparent encryption is enabled? |
| Enabling HDFS Transparent Encryption |
| Prerequisites |
| Prerequisites - General |
| Prerequisites for HDFS Transparent Encryption |
| Prerequisites for Key Trustee Server setup if not selecting Mammoth installed BDA-local Key Trustee Servers |
| Prerequisites for passwords |
| Prerequisites for cluster health |
| Enable HDFS Transparent Encryption with bdacli |
| Post BDA V4.5 HDFS Transparent Encrypton enable steps |
| bdacli getinfo checks |
| Verify the Key Trustee KMS service and Key Trustee Servers are present in Cloudera Manager |
| Verify MD5 hash of the private GPG keys on each Key Trustee KMS host is identical |
| Troubleshooting HDFS Transparent Encrypton enable |
| Disabling HDFS Transparent Encryption |
| Disable HDFS Transparent Encryption with bdacli |
| Post BDA V4.5 HDFS Transparent Encryption disable steps |
| References |