Cloudera Docs

Updating Navigator Encrypt

You must update NavEncrypt to version 7.1.9 in order for it to work with Ranger KMS.

Learn how to update RHEL compatible Navigator Encrypt. For information on SLES and Ubuntu compatible Navigator Encrypt installation, refer to 'Installing Cloudera Navigator Encrypt'.

  1. SSH as root to the host where NavEncrypt is installed.
  2. Untar the new zip package. 
    tar zxvf navigator-encrypt-7.1.9.0-64-redhat8.tar.gz --directory navencrypt-7.1.9.0-repo
  3. Stop NavEncrypt. 
    systemctl stop navencrypt-mount
  4. Make a copy of /etc/navencrypt/. 
    cp -rp /etc/navencrypt/ .
  5. Create, and edit repo file etc/yum.repos.d/navencrypt-7.1.9.0.repo, by adding the following lines. 
    [navencrypt-7.1.9.0]
name=navencrypt-7.1.9.0
baseurl=file:///root/navencrypt-7.1.9.0-repo
gpgkey=file:///root/navencrypt-repo/nepub.asc
enabled=1
gpgcheck=1
  6. Ensure that the repository is accepted, and three packages are present. 
    # yum repolist
# yum list available --disablerepo=* --enablerepo=navencrypt-7.1.9.0
  7. Edit the /etc/navencrypt/keytrustee/ztrustee.conf file and make the following changes:
    • Change all the URLs to point to Ranger KMS.
    • Change "PROTOCOL" to "json-cleartext".
    • Add “IS_KMS”: true
    This is an example of a ztrustee.conf with KTS urls and port : 
    [root@gsne-2 navencryptFiles]# cat /etc/navencrypt/keytrustee/ztrustee.conf 
{
       "LOCAL_FINGERPRINT":	"2048R/51E9DD52660E134E74ECBA8AF0E1ED9AC6AC3BC9",
       "REMOTES":  	{
                "kts1.cloudera.com":	{
                        "REMOTE_SERVER": "https://kts1.cloudera.com:11371",
                        "HKP_PORT": 	11371,
                        "HKP_SCHEME":   "https",
                        "DEFAULT":  	true,
                        "HKP_TIMEOUT":  60,
                        "REMOTE_SERVERS": ["https://kts1.cloudera.com:11371", "https://kts2.cloudera.com:11371"],
                        "SSL_INSECURE": true,
                        "PROTOCOL": 	"json-encrypt",
                        }
                 }
}
    This is an example of ztrustee.conf with Ranger KMS urls and port : 
    [root@gsne-2 ~]# cat /etc/navencrypt/keytrustee/ztrustee.conf
{
       "LOCAL_FINGERPRINT":	"2048R/51E9DD52660E134E74ECBA8AF0E1ED9AC6AC3BC9",
       "REMOTES":  	{
                "kms1.cloudera.com":	{
                        "REMOTE_SERVER": "https://kms1.cloudera.com:9494",
                        "HKP_PORT": 	11371,
                        "HKP_SCHEME":   "https",
                        "DEFAULT":  	true,
                        "HKP_TIMEOUT":  60,
                        "REMOTE_SERVERS": ["https://kms1.cloudera.com:9494", "https://kms2.cloudera.com:9494"],
                        "SSL_INSECURE": true,
                        "PROTOCOL": 	"json-cleartext",
                        "IS_KMS":   	true
                        }
               }
}
  8. Update to new versions of NavEncrypt. 
    yum update libkeytrustee
yum update navencrypt-kernel-module
yum update navencrypt
  9. Start Navigator Encrypt. 
    systemctl start navencrypt-mount
  10. Check the version and status of NavEncrypt. 
    navencrypt --version;
navencrypt status -m:
navencrypt key –-verify --only-keytrustee
The version of NavEncrypt is 7.1.9.0. The status shows "navencrypt module is running". After entering the master-passphrase, navencrypt outputs “VALID”.