My Oracle Support Banner

How to Move Key Trustee KMS Proxy Roles from non-BDA Nodes to Nodes 1/2 of a BDA Cluster (Doc ID 2252619.1)

Last updated on FEBRUARY 07, 2023

Applies to:

Big Data Appliance Integrated Software - Version 4.7.0 and later
Linux x86-64

Purpose

This document provides the steps on how to move Key Management Service KMS proxy roles that are off of the Oracle Big Data Appliance (BDA) cluster to the first two nodes on the BDA Cluster. This would only be used in a case that the HA Key Trustee KMS Proxy Service was initially set up off the BDA and initial setup of Key Trustee Proxy service was not enabled via bdacli utility for HDFS transparent encryption. This might occur in versions that are less than Mammoth 4.4.0, as HDFS transparent encryption became available in that version. This process converts a manually setup HDFS Transparent Encryption Configuration to one that is managed by Mammoth.

If you are going to attempt this please open an SR with Oracle Support and get approval from Support / Development to confirm the environment/process/goals before embarking on the steps in the note.

Scope

BDA Admin, sysadmin, Oracle ACS

Details

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Purpose
Scope
Details
 Overview
 Verify the Hosts with "Key Trustee KMS Proxy" Roles in Cloudera Manager
 Capture the "Key Trustee KMS Proxy" configuration from one non-BDA node
 Transfer the "Key Trustee KMS Proxy" configuration from the non-BDA node to the BDA Node
 Repeat the Above Two Sections for the Second non-BDA host
 Verify the KMS conf file on BDA Node 1 and Node 2
 Configure the Key Trustee KMS Proxy Service in Cloudera Manager
 Delete the existing "Key Management Server Proxy" roles
 Stop the existing "Key Management Server Proxy" roles
 Delete the existing "Key Managment Server Proxy" roles
 Add the new BDA host "Key Management Server Proxy" roles
 Restart the cluster and deploy the client configuration
 Update the existing /opt/oracle/bda/install/state/config.json files on the cluster

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.