Known Issues in Ranger KMS

Learn about the known issues in Ranger, the impact or changes to the functionality, and the workaround.

CDPD-99837: Mixed case key names can break HDFS encryption after KTS to Ranger KMS migration

When you migrate encryption keys from Key Trustee Server (KTS) to the Ranger KMS DB, encryption zone key names that were originally mixed case (uppercase, lowercase, or camelCase) in KTS can cause HDFS decryption to fail after migration.

None.

CDPD-70115: Ranger KMS with Oracle DB not supported for Navigator Encrypt

Navigator Encrypt deposit registration is failing with Ranger KMS DB with Oracle DB setup with the following error:

java.sql.SQLSyntaxErrorException: ORA-02289: sequence does not exist Error Code: 2289

None.

CDPD-101323: Ranger KMS with KTS key export/import fails when using a custom keystore path

When migrating keys from KTS to the Ranger KMS DB, the Export keys from Ranger KMS KTS action (Cloudera Manager > Ranger KMS KTS > Actions > Export keys from Ranger KMS KTS) can fail if Ranger KMS with KTS is configured with a custom Key Trustee keystore path.

Perform the following steps before running the export action when using a custom Key Trustee keystore path:

On both Ranger KMS (with KTS) instances, manually create the default directory.
Set the ownership of the directory to kms:kms.
Align permissions with your custom path directory used by Ranger KMS with KTS.
Run the export action again from Cloudera Manager > Ranger KMS KTS > Actions > Export keys from Ranger KMS KTS.
- The export action might still report a failure during the verification step because it looks in the custom path.
- However, the keystore file migratedKeyStore.jceks is generated in the hardcoded default path.
Manually verify that the keystore has been created and is valid:
```
keytool -list -v \
  -keystore /var/lib/kms-keytrustee/migratedKeyStore.jceks \
  -storetype JCEKS
```
There is no password set for this keystore; you can just press Enter when prompted.
note
For the Import action, just keep the migratedKeyStore.jceks file on both the hosts of KMS servers under /var/lib/kms-keytrustee/ with ownership kms:kms and permissions same as your custom path.
Proceed with the remaining migration steps.