This is an automated email from the ASF dual-hosted git repository.

gautam pushed a commit to branch ranger-0.7
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/ranger-0.7 by this push:
     new df1eb58  RANGER-2331 Ranger-KMS - KeySecure HSM Integration
df1eb58 is described below

commit df1eb588465b4a8d31cfb04f5a62d8f9444e9cec
Author: Gautam Borad <[email protected]>
AuthorDate: Thu Feb 21 11:52:17 2019 +0530

    RANGER-2331 Ranger-KMS - KeySecure HSM Integration
---
 kms/config/kms-webapp/dbks-site.xml                |  51 +++++++
 kms/scripts/DBMKTOKEYSECURE.sh                     |  19 +++
 kms/scripts/KEYSECUREMKTOKMSDB.sh                  |  19 +++
 kms/scripts/install.properties                     |  10 ++
 kms/scripts/setup.sh                               |  81 +++++++++++
 .../apache/hadoop/crypto/key/DBToKeySecure.java    | 127 ++++++++++++++++
 .../apache/hadoop/crypto/key/JKS2RangerUtil.java   |  51 ++++++-
 .../crypto/key/KeySecureToRangerDBMKUtil.java      | 104 +++++++++++++
 .../apache/hadoop/crypto/key/Ranger2JKSUtil.java   |  60 +++++++-
 .../hadoop/crypto/key/RangerKeyStoreProvider.java  | 162 +++++++++++++--------
 .../apache/hadoop/crypto/key/RangerMasterKey.java  |  11 ++
 .../hadoop/crypto/key/RangerSafenetKeySecure.java  | 156 ++++++++++++++++++++
 src/main/assembly/kms.xml                          |   2 +
 13 files changed, 782 insertions(+), 71 deletions(-)

diff --git a/kms/config/kms-webapp/dbks-site.xml 
b/kms/config/kms-webapp/dbks-site.xml
index 0e0f2ec..2248032 100755
--- a/kms/config/kms-webapp/dbks-site.xml
+++ b/kms/config/kms-webapp/dbks-site.xml
@@ -123,6 +123,57 @@
        <name>ranger.ks.kerberos.keytab</name>
        <value></value>
   </property>
+
+  <!-- Key-Secure Config START-->
+
+  <property>
+        <name>ranger.kms.keysecure.enabled</name>
+        <value>false</value>
+        <description></description>
+  </property>
+
+  <property>
+        <name>ranger.kms.keysecure.UserPassword.Authentication</name>
+        <value>true</value>
+        <description></description>
+  </property>
+  <property>
+        <name>ranger.kms.keysecure.masterkey.name</name>
+        <value>safenetmasterkey</value>
+        <description>Safenet key secure master key name</description>
+  </property>
+    <property>
+        <name>ranger.kms.keysecure.login.username</name>
+        <value>user1</value>
+        <description>Safenet key secure username</description>
+  </property>
+  <property>
+        <name>ranger.kms.keysecure.login.password</name>
+        <value>t1e2s3t4</value>
+        <description>Safenet key secure user password</description>
+  </property>
+  <property>
+        <name>ranger.kms.keysecure.login.password.alias</name>
+        <value>ranger.ks.login.password</value>
+        <description>Safenet key secure user password</description>
+  </property>
+  <property>
+        <name>ranger.kms.keysecure.hostname</name>
+        <value>SunPKCS11-keysecurehn</value>
+        <description>Safenet key secure hostname</description>
+  </property>
+  <property>
+        <name>ranger.kms.keysecure.masterkey.size</name>
+        <value>256</value>
+        <description>key size</description>
+  </property>
+  <property>
+        <name>ranger.kms.keysecure.sunpkcs11.cfg.filepath</name>
+        <value>/opt/safenetConf/64/8.3.1/sunpkcs11.cfg</value>
+        <description>Location of Safenet key secure library configuration 
file</description>
+  </property>
+
+  <!-- Key-Secure Config END-->
     
   <!-- HSM Config -->
   <property>
diff --git a/kms/scripts/DBMKTOKEYSECURE.sh b/kms/scripts/DBMKTOKEYSECURE.sh
new file mode 100644
index 0000000..c0aa6e5
--- /dev/null
+++ b/kms/scripts/DBMKTOKEYSECURE.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# 
-------------------------------------------------------------------------------------
+RANGER_KMS_HOME=`dirname $0`
+cp="${RANGER_KMS_HOME}/cred/lib/*:${RANGER_KMS_HOME}/./ews/webapp/WEB-INF/classes/conf/:${RANGER_KMS_HOME}/ews/webapp/config:${RANGER_KMS_HOME}/ews/lib/*:${RANGER_KMS_HOME}/ews/webapp/lib/*:${RANGER_KMS_HOME}/ews/webapp/META-INF"
+java -cp "${cp}" org.apache.hadoop.crypto.key.DBToKeySecure ${1} ${2} ${3} ${4}
diff --git a/kms/scripts/KEYSECUREMKTOKMSDB.sh 
b/kms/scripts/KEYSECUREMKTOKMSDB.sh
new file mode 100644
index 0000000..ba0a8a9
--- /dev/null
+++ b/kms/scripts/KEYSECUREMKTOKMSDB.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# 
-------------------------------------------------------------------------------------
+RANGER_KMS_HOME=`dirname $0`
+cp="${RANGER_KMS_HOME}/cred/lib/*:${RANGER_KMS_HOME}/./ews/webapp/WEB-INF/classes/conf/:${RANGER_KMS_HOME}/ews/webapp/config:${RANGER_KMS_HOME}/ews/lib/*:${RANGER_KMS_HOME}/ews/webapp/lib/*:${RANGER_KMS_HOME}/ews/webapp/META-INF"
+java -cp "${cp}" org.apache.hadoop.crypto.key.KeySecureToRangerDBMKUtil ${1}
diff --git a/kms/scripts/install.properties b/kms/scripts/install.properties
index ddc779d..a4fda7e 100755
--- a/kms/scripts/install.properties
+++ b/kms/scripts/install.properties
@@ -89,6 +89,16 @@ HSM_ENABLED=false
 HSM_PARTITION_NAME=par19
 HSM_PARTITION_PASSWORD=S@fenet123
 
+#------------------------- Ranger SAFENET KEYSECURE CONFIG 
------------------------------
+KEYSECURE_ENABLED=false
+KEYSECURE_USER_PASSWORD_AUTHENTICATION=true
+KEYSECURE_MASTERKEY_NAME=safenetkeysecure
+KEYSECURE_USERNAME=user1
+KEYSECURE_PASSWORD=t1e2s3t4
+KEYSECURE_HOSTNAME=SunPKCS11-keysecurehn
+KEYSECURE_MASTER_KEY_SIZE=256
+KEYSECURE_LIB_CONFIG_PATH=/opt/safenetConf/64/8.3.1/sunpkcs11.cfg
+
 #
 # ------- UNIX User CONFIG ----------------
 #
diff --git a/kms/scripts/setup.sh b/kms/scripts/setup.sh
index 2db05b8..39afa5a 100755
--- a/kms/scripts/setup.sh
+++ b/kms/scripts/setup.sh
@@ -98,6 +98,15 @@ HSM_ENABLED=$(get_prop 'HSM_ENABLED' $PROPFILE)
 HSM_PARTITION_NAME=$(get_prop 'HSM_PARTITION_NAME' $PROPFILE)
 HSM_PARTITION_PASSWORD=$(get_prop 'HSM_PARTITION_PASSWORD' $PROPFILE)
 
+KEYSECURE_ENABLED=$(get_prop 'KEYSECURE_ENABLED' $PROPFILE)
+KEYSECURE_USER_PASSWORD_AUTHENTICATION=$(get_prop 
'KEYSECURE_USER_PASSWORD_AUTHENTICATION' $PROPFILE)
+KEYSECURE_MASTERKEY_NAME=$(get_prop 'KEYSECURE_MASTERKEY_NAME' $PROPFILE)
+KEYSECURE_USERNAME=$(get_prop 'KEYSECURE_USERNAME' $PROPFILE)
+KEYSECURE_PASSWORD=$(get_prop 'KEYSECURE_PASSWORD' $PROPFILE)
+KEYSECURE_HOSTNAME=$(get_prop 'KEYSECURE_HOSTNAME' $PROPFILE)
+KEYSECURE_MASTER_KEY_SIZE=$(get_prop 'KEYSECURE_MASTER_KEY_SIZE' $PROPFILE)
+KEYSECURE_LIB_CONFIG_PATH=$(get_prop 'KEYSECURE_LIB_CONFIG_PATH' $PROPFILE)
+
 kms_principal=$(get_prop 'kms_principal' $PROPFILE)
 kms_keytab=$(get_prop 'kms_keytab' $PROPFILE)
 hadoop_conf=$(get_prop 'hadoop_conf' $PROPFILE)
@@ -210,6 +219,17 @@ password_validation() {
                 fi
         fi
 }
+
+password_validation_safenet_keysecure(){
+        if [ -z "$1" ]
+        then
+                log "[I] Blank password is not allowed for" $2". Please enter 
valid password."
+                exit 1
+        else
+                log "[I]" $2 "password validated."
+        fi
+}
+
 init_variables(){
        curDt=`date '+%Y%m%d%H%M%S'`
 
@@ -574,7 +594,11 @@ update_properties() {
        HSM_PARTITION_PASSWD="ranger.ks.hsm.partition.password"
        HSM_PARTITION_PASSWORD_ALIAS="ranger.kms.hsm.partition.password"
 
+        KEYSECURE_PASSWD="ranger.kms.keysecure.login.password"
+        KEYSECURE_PASSWORD_ALIAS="ranger.ks.login.password"
+
         HSM_ENABLED=`echo $HSM_ENABLED | tr '[:lower:]' '[:upper:]'`
+        KEYSECURE_ENABLED=`echo $KEYSECURE_ENABLED | tr '[:lower:]' 
'[:upper:]'`
 
        if [ "${keystore}" != "" ]
        then
@@ -600,6 +624,20 @@ update_properties() {
                         updatePropertyToFilePy $propertyName $newPropertyValue 
$to_file
                 fi
 
+                if [ "${KEYSECURE_ENABLED}" == "TRUE" ]
+                then
+                        password_validation_safenet_keysecure 
"$KEYSECURE_PASSWORD" "KEYSECURE User Password"
+                        $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l 
"cred/lib/*" -f "$keystore" -k "${KEYSECURE_PASSWORD_ALIAS}" -v 
"${KEYSECURE_PASSWORD}" -c 1
+
+                        propertyName=ranger.kms.keysecure.login.password.alias
+                        newPropertyValue="${KEYSECURE_PASSWORD_ALIAS}"
+                        updatePropertyToFilePy $propertyName $newPropertyValue 
$to_file
+
+                        propertyName=ranger.kms.keysecure.login.password
+                        newPropertyValue="_"
+                        updatePropertyToFilePy $propertyName $newPropertyValue 
$to_file
+                fi
+
                propertyName=ranger.ks.jpa.jdbc.credential.alias
                newPropertyValue="${DB_CREDENTIAL_ALIAS}"
                updatePropertyToFilePy $propertyName $newPropertyValue $to_file
@@ -631,6 +669,10 @@ update_properties() {
                propertyName="${HSM_PARTITION_PASSWD}"
                 newPropertyValue="${HSM_PARTITION_PASSWORD}"
                 updatePropertyToFilePy $propertyName $newPropertyValue $to_file
+
+                propertyName="${KEYSECURE_PASSWD}"
+                newPropertyValue="${KEYSECURE_PASSWORD}"
+                updatePropertyToFilePy $propertyName $newPropertyValue $to_file
        fi
 
        if test -f $keystore; then
@@ -695,6 +737,45 @@ update_properties() {
                 updatePropertyToFilePy $propertyName $newPropertyValue 
$to_file         
         fi
 
+        ########### SAFENET KEYSECURE CONFIG #################
+
+
+        if [ "${KEYSECURE_ENABLED}" != "TRUE" ]
+        then
+                propertyName=ranger.kms.keysecure.enabled
+                newPropertyValue="false"
+                updatePropertyToFilePy $propertyName $newPropertyValue $to_file
+        else
+                propertyName=ranger.kms.keysecure.enabled
+                newPropertyValue="true"
+                updatePropertyToFilePy $propertyName $newPropertyValue $to_file
+
+                propertyName=ranger.kms.keysecure.UserPassword.Authentication
+                newPropertyValue="${KEYSECURE_USER_PASSWORD_AUTHENTICATION}"
+                updatePropertyToFilePy $propertyName $newPropertyValue $to_file
+
+                propertyName=ranger.kms.keysecure.masterkey.name
+                newPropertyValue="${KEYSECURE_MASTERKEY_NAME}"
+                updatePropertyToFilePy $propertyName $newPropertyValue $to_file
+
+                propertyName=ranger.kms.keysecure.login.username
+                newPropertyValue="${KEYSECURE_USERNAME}"
+                updatePropertyToFilePy $propertyName $newPropertyValue $to_file
+
+                propertyName=ranger.kms.keysecure.hostname
+                newPropertyValue="${KEYSECURE_HOSTNAME}"
+                updatePropertyToFilePy $propertyName $newPropertyValue $to_file
+
+                propertyName=ranger.kms.keysecure.masterkey.size
+                newPropertyValue="${KEYSECURE_MASTER_KEY_SIZE}"
+                updatePropertyToFilePy $propertyName $newPropertyValue $to_file
+
+                propertyName=ranger.kms.keysecure.sunpkcs11.cfg.filepath
+                newPropertyValue="${KEYSECURE_LIB_CONFIG_PATH}"
+                updatePropertyToFilePy $propertyName $newPropertyValue $to_file
+
+        fi
+
        
to_file_kms_site=$PWD/ews/webapp/WEB-INF/classes/conf/ranger-kms-site.xml
     if test -f $to_file_kms_site; then
                log "[I] $to_file_kms_site file found"
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/DBToKeySecure.java 
b/kms/src/main/java/org/apache/hadoop/crypto/key/DBToKeySecure.java
new file mode 100644
index 0000000..ab0baa1
--- /dev/null
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/DBToKeySecure.java
@@ -0,0 +1,127 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.crypto.key;
+
+import java.io.IOException;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.ranger.kms.dao.DaoManager;
+
+import com.sun.org.apache.xml.internal.security.utils.Base64;
+
+public class DBToKeySecure {
+
+        private static final String ENCRYPTION_KEY = 
"ranger.db.encrypt.key.password";
+        private static final String KEYSECURE_MASTERKEY_NAME = 
"ranger.kms.keysecure.masterkey.name";
+        private static final String KEYSECURE_LOGIN = 
"ranger.kms.keysecure.login";
+        private static final String CFGFILEPATH = 
"ranger.kms.keysecure.sunpkcs11.cfg.filepath";
+
+        public static void showUsage() {
+                System.err
+                                .println("USAGE: java "
+                                                + DBToKeySecure.class.getName()
+                                                + " <keySecureMasterKeyName> 
<keySecureUsername> <keySecurePassword> <sunpkcs11CfgFilePath>");
+        }
+
+        public static void main(String[] args) {
+
+                if (args.length < 4) {
+                        System.err.println("Invalid number of parameters 
found.");
+                        showUsage();
+                        System.exit(1);
+                } else {
+
+                        Configuration conf = 
RangerKeyStoreProvider.getDBKSConf();
+
+                        String keyName = args[0];
+                        if (keyName == null || keyName.trim().isEmpty()) {
+                                System.err.println("Key Secure master key name 
not provided.");
+                                showUsage();
+                                System.exit(1);
+                        }
+
+                        String username = args[1];
+                        if (username == null || username.trim().isEmpty()) {
+                                System.err.println("Key Secure username not 
provided.");
+                                showUsage();
+                                System.exit(1);
+                        }
+                        String password = args[2];
+                        if (password == null || password.trim().isEmpty()) {
+                                System.err.println("Key Secure password not 
provided.");
+                                showUsage();
+                                System.exit(1);
+                        }
+
+                        String cfgFilePath = args[3];
+                        if (cfgFilePath == null || 
cfgFilePath.trim().isEmpty()) {
+                                System.err.println("sunpkcs11 Configuration 
File Path not provided");
+                                showUsage();
+                                System.exit(1);
+                        }
+
+                        boolean result = new 
DBToKeySecure().doExportMKToKeySecure(keyName, username, password, cfgFilePath, 
 conf);
+                        if (result) {
+                                System.out
+                                                .println("Master Key from 
Ranger KMS DB has been successfully imported into Key Secure.");
+                        } else {
+                                System.out
+                                                .println("Import of Master Key 
from DB has been unsuccessful.");
+                                System.exit(1);
+                        }
+                        System.exit(0);
+                }
+        }
+
+        private boolean doExportMKToKeySecure(String keyName, String username, 
String password, String cfgFilePath, Configuration conf) {
+                try {
+                        String keySecureMKPassword = conf.get(ENCRYPTION_KEY);
+                        if (keySecureMKPassword == null
+                                        || 
keySecureMKPassword.trim().equals("")
+                                        || 
keySecureMKPassword.trim().equals("_")
+                                        || 
keySecureMKPassword.trim().equals("crypted")) {
+                                throw new IOException("Master Key Jceks does 
not exists");
+                        }
+
+                        conf.set(CFGFILEPATH, cfgFilePath);
+                        conf.set(KEYSECURE_MASTERKEY_NAME, keyName);
+                        conf.set(KEYSECURE_LOGIN,username + ":" + password);
+
+                        RangerKMSDB rangerkmsDb = new RangerKMSDB(conf);
+                        DaoManager daoManager = rangerkmsDb.getDaoManager();
+                        String mkPassword = conf.get(ENCRYPTION_KEY);
+
+                        // Get Master Key from Ranger DB
+                        RangerMasterKey rangerMasterKey = new 
RangerMasterKey(daoManager);
+                        String mkey = rangerMasterKey.getMasterKey(mkPassword);
+                        byte[] key = Base64.decode(mkey);
+
+                        if (conf != null) {
+                                RangerSafenetKeySecure rangerSafenetKeySecure 
= new RangerSafenetKeySecure(
+                                                conf);
+                                return 
rangerSafenetKeySecure.setMasterKey(password, key,conf);
+                        }
+
+                        return false;
+                } catch (Throwable t) {
+                        throw new RuntimeException(
+                                        "Unable to import Master key from 
Ranger DB to KeySecure ",
+                                        t);
+                }
+
+        }
+
+}
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java 
b/kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java
index 22dce0f..ee0913f 100644
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/JKS2RangerUtil.java
@@ -26,13 +26,22 @@ import java.nio.charset.Charset;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 
+import org.apache.commons.lang.StringUtils;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.ranger.credentialapi.CredentialReader;
 import org.apache.ranger.kms.dao.DaoManager;
 
 public class JKS2RangerUtil {
        
        private static final String DEFAULT_KEYSTORE_TYPE = "jceks";
        private static final String ENCRYPTION_KEY = 
"ranger.db.encrypt.key.password";
+        private static final String KEYSECURE_ENABLED = 
"ranger.kms.keysecure.enabled";
+        private static final String KEYSECURE_USERNAME = 
"ranger.kms.keysecure.login.username";
+    private static final String KEYSECURE_PASSWORD = 
"ranger.kms.keysecure.login.password";
+    private static final String KEYSECURE_PASSWORD_ALIAS = 
"ranger.kms.keysecure.login.password.alias";
+    private static final String KEYSECURE_LOGIN = "ranger.kms.keysecure.login";
+    private static final String CREDENTIAL_PATH = 
"ranger.ks.jpa.jdbc.credential.provider.path";
+
        
        public static void showUsage() {
                System.err.println("USAGE: java " + 
JKS2RangerUtil.class.getName() + " <KMS_FileName> [KeyStoreType]");
@@ -80,12 +89,31 @@ public class JKS2RangerUtil {
                        Configuration conf = 
RangerKeyStoreProvider.getDBKSConf();
                        RangerKMSDB rangerkmsDb = new RangerKMSDB(conf);        
        
                        DaoManager daoManager = rangerkmsDb.getDaoManager();
-                       RangerKeyStore dbStore = new RangerKeyStore(daoManager);
+                        RangerKeyStore dbStore= new RangerKeyStore(daoManager);
+                        char[] masterKey;
                        String password = conf.get(ENCRYPTION_KEY);
-                       RangerMasterKey rangerMasterKey = new 
RangerMasterKey(daoManager);
-                       rangerMasterKey.generateMasterKey(password);            
-                       char[] masterKey = 
rangerMasterKey.getMasterKey(password).toCharArray();
                        InputStream in = null;
+
+                        if (conf != null
+                                        && 
StringUtils.isNotEmpty(conf.get(KEYSECURE_ENABLED))
+                                        && 
conf.get(KEYSECURE_ENABLED).equalsIgnoreCase("true")) {
+
+                                getFromJceks(conf, CREDENTIAL_PATH, 
KEYSECURE_PASSWORD_ALIAS, KEYSECURE_PASSWORD);
+                                String keySecureLoginCred = 
conf.get(KEYSECURE_USERNAME).trim() + ":" + conf.get(KEYSECURE_PASSWORD);
+                                conf.set(KEYSECURE_LOGIN, keySecureLoginCred);
+
+                                RangerSafenetKeySecure rangerSafenetKeySecure 
= new RangerSafenetKeySecure(
+                                                conf);
+                                
rangerSafenetKeySecure.generateMasterKey(password);
+                                masterKey = 
rangerSafenetKeySecure.getMasterKey(password).toCharArray();
+                        } else {
+                                RangerMasterKey rangerMasterKey = new 
RangerMasterKey(
+                                                daoManager);
+                                rangerMasterKey.generateMasterKey(password);
+                                masterKey = 
rangerMasterKey.getMasterKey(password)
+                                                .toCharArray();
+                        }
+
                        try {
                                in = new FileInputStream(new 
File(keyStoreFileName));
                                dbStore.engineLoadKeyStoreFile(in, 
keyStorePassword, keyPassword, masterKey, keyStoreType);
@@ -105,6 +133,21 @@ public class JKS2RangerUtil {
                        throw new RuntimeException("Unable to import keys from 
[" + keyStoreFileName + "] due to exception.", t);
                }
        }
+        private static void getFromJceks(Configuration conf, String path, 
String alias, String key) {
+
+        //update credential from keystore
+        if (conf != null) {
+            String pathValue = conf.get(path);
+            String aliasValue = conf.get(alias);
+            if (pathValue != null && aliasValue != null) {
+                String xaDBPassword = 
CredentialReader.getDecryptedString(pathValue.trim(), aliasValue.trim());
+                if (xaDBPassword != null && !xaDBPassword.trim().isEmpty() &&
+                        !xaDBPassword.trim().equalsIgnoreCase("none")) {
+                    conf.set(key, xaDBPassword);
+                }
+            }
+        }
+    }
        
        
        private char[] getPasswordFromConsole(String prompt) throws IOException 
{
diff --git 
a/kms/src/main/java/org/apache/hadoop/crypto/key/KeySecureToRangerDBMKUtil.java 
b/kms/src/main/java/org/apache/hadoop/crypto/key/KeySecureToRangerDBMKUtil.java
new file mode 100644
index 0000000..538fde9
--- /dev/null
+++ 
b/kms/src/main/java/org/apache/hadoop/crypto/key/KeySecureToRangerDBMKUtil.java
@@ -0,0 +1,104 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.crypto.key;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.ranger.credentialapi.CredentialReader;
+import org.apache.ranger.kms.dao.DaoManager;
+
+import com.sun.org.apache.xml.internal.security.utils.Base64;
+
+public class KeySecureToRangerDBMKUtil {
+        private static final String ENCRYPTION_KEY = 
"ranger.db.encrypt.key.password";
+        private static final String KEYSECURE_USERNAME = 
"ranger.kms.keysecure.login.username";
+    private static final String KEYSECURE_PASSWORD = 
"ranger.kms.keysecure.login.password";
+    private static final String KEYSECURE_PASSWORD_ALIAS = 
"ranger.kms.keysecure.login.password.alias";
+    private static final String KEYSECURE_LOGIN = "ranger.kms.keysecure.login";
+    private static final String CREDENTIAL_PATH = 
"ranger.ks.jpa.jdbc.credential.provider.path";
+
+        public static void showUsage() {
+                System.err.println("USAGE: java " + 
KeySecureToRangerDBMKUtil.class.getName() + " <KMS master key password>");
+        }
+
+        public static void main(String[] args) {
+
+                                if (args.length != 1) {
+                                        System.err.println("Invalid number of 
parameters found.");
+                                        showUsage();
+                                        System.exit(1);
+                                }
+                                else {
+                                        String kmsMKPassword = args[0];
+                                        if (kmsMKPassword == null || 
kmsMKPassword.trim().isEmpty()) {
+                                                System.err.println("KMS master 
key password not provided");
+                                                showUsage();
+                                                System.exit(1);
+                                        }
+
+                                        new 
KeySecureToRangerDBMKUtil().doImportMKFromKeySecure(kmsMKPassword);
+                                                System.out.println("Master Key 
from Key Secure has been successfully imported into Ranger KMS DB.");
+                                }
+                        }
+
+        private void doImportMKFromKeySecure(String kmsMKPassword) {
+                try {
+                        Configuration conf = 
RangerKeyStoreProvider.getDBKSConf();
+                        conf.set(ENCRYPTION_KEY, kmsMKPassword);
+                        getFromJceks(conf, CREDENTIAL_PATH, 
KEYSECURE_PASSWORD_ALIAS, KEYSECURE_PASSWORD);
+                        String keySecureLoginCred = 
conf.get(KEYSECURE_USERNAME).trim() + ":" + conf.get(KEYSECURE_PASSWORD);
+                        conf.set(KEYSECURE_LOGIN, keySecureLoginCred);
+
+                        RangerKMSDB rangerkmsDb = new RangerKMSDB(conf);
+                        DaoManager daoManager = rangerkmsDb.getDaoManager();
+                        String password = conf.get(ENCRYPTION_KEY);
+
+                        RangerSafenetKeySecure rangerSafenetKeySecure = new 
RangerSafenetKeySecure(
+                                        conf);
+                        String mKey = 
rangerSafenetKeySecure.getMasterKey(password);
+
+                        byte[] key = Base64.decode(mKey);
+
+                        // Put Master Key in Ranger DB
+                        RangerMasterKey rangerMasterKey = new 
RangerMasterKey(daoManager);
+                        rangerMasterKey.generateMKFromKeySecureMK(password, 
key);
+
+                } catch (Throwable t) {
+                        throw new RuntimeException(
+                                        "Unable to migrate Master key from 
KeySecure to Ranger DB",
+                                        t);
+
+                }
+        }
+
+        private static void getFromJceks(Configuration conf, String path, 
String alias, String key) {
+
+        //update credential from keystore
+        if (conf != null) {
+            String pathValue = conf.get(path);
+            String aliasValue = conf.get(alias);
+            if (pathValue != null && aliasValue != null) {
+                String xaDBPassword = 
CredentialReader.getDecryptedString(pathValue.trim(), aliasValue.trim());
+                if (xaDBPassword != null && !xaDBPassword.trim().isEmpty() &&
+                        !xaDBPassword.trim().equalsIgnoreCase("none")) {
+                    conf.set(key, xaDBPassword);
+                }
+            }
+        }
+    }
+
+
+}
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java 
b/kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java
index 1abbf8e..3a54041 100644
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/Ranger2JKSUtil.java
@@ -26,13 +26,21 @@ import java.nio.charset.Charset;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 
+import org.apache.commons.lang.StringUtils;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.ranger.credentialapi.CredentialReader;
 import org.apache.ranger.kms.dao.DaoManager;
 
 public class Ranger2JKSUtil {
 
        private static final String DEFAULT_KEYSTORE_TYPE = "jceks";
        private static final String ENCRYPTION_KEY = 
"ranger.db.encrypt.key.password";
+        private static final String KEYSECURE_ENABLED = 
"ranger.kms.keysecure.enabled";
+        private static final String KEYSECURE_USERNAME = 
"ranger.kms.keysecure.login.username";
+    private static final String KEYSECURE_PASSWORD = 
"ranger.kms.keysecure.login.password";
+    private static final String KEYSECURE_PASSWORD_ALIAS = 
"ranger.kms.keysecure.login.password.alias";
+    private static final String KEYSECURE_LOGIN = "ranger.kms.keysecure.login";
+    private static final String CREDENTIAL_PATH = 
"ranger.ks.jpa.jdbc.credential.provider.path";
        
        public static void showUsage() {
                System.err.println("USAGE: java " + 
Ranger2JKSUtil.class.getName() + " <KMS_FileName> [KeyStoreType]");
@@ -79,23 +87,43 @@ public class Ranger2JKSUtil {
                        char[] keyStorePassword = getPasswordFromConsole("Enter 
Password for the keystore FILE :");
                        char[] keyPassword = getPasswordFromConsole("Enter 
Password for the KEY(s) stored in the keystore:");
                        Configuration conf = 
RangerKeyStoreProvider.getDBKSConf();
-                       RangerKMSDB rangerkmsDb = new RangerKMSDB(conf);        
        
+                        RangerKMSDB rangerkmsDb = new RangerKMSDB(conf);
                        DaoManager daoManager = rangerkmsDb.getDaoManager();
-                       RangerKeyStore dbStore = new RangerKeyStore(daoManager);
+                        RangerKeyStore dbStore= new RangerKeyStore(daoManager);
+
+                        char[] masterKey;
                        String password = conf.get(ENCRYPTION_KEY);
-                       RangerMasterKey rangerMasterKey = new 
RangerMasterKey(daoManager);
-                       char[] masterKey = 
rangerMasterKey.getMasterKey(password).toCharArray();
+                        if (conf != null
+                                        && 
StringUtils.isNotEmpty(conf.get(KEYSECURE_ENABLED))
+                                        && 
conf.get(KEYSECURE_ENABLED).equalsIgnoreCase("true")) {
+
+                                getFromJceks(conf, CREDENTIAL_PATH, 
KEYSECURE_PASSWORD_ALIAS, KEYSECURE_PASSWORD);
+                                String keySecureLoginCred = 
conf.get(KEYSECURE_USERNAME).trim() + ":" + conf.get(KEYSECURE_PASSWORD);
+                                conf.set(KEYSECURE_LOGIN, keySecureLoginCred);
+
+                                RangerSafenetKeySecure rangerSafenetKeySecure 
= new RangerSafenetKeySecure(
+                                                conf);
+                                masterKey = 
rangerSafenetKeySecure.getMasterKey(password).toCharArray();
+
+                        } else {
+                                RangerMasterKey rangerMasterKey = new 
RangerMasterKey(
+                                                daoManager);
+                                masterKey = 
rangerMasterKey.getMasterKey(password)
+                                                .toCharArray();
+                        }
                        OutputStream out = null;
                        try {
                                out = new FileOutputStream(new 
File(keyStoreFileName));
-                               dbStore.engineLoadToKeyStoreFile(out, 
keyStorePassword, keyPassword, masterKey, keyStoreType);
-                       }
-                       finally {
+                                dbStore.engineLoadToKeyStoreFile(out, 
keyStorePassword,
+                                                keyPassword, masterKey, 
keyStoreType);
+                        } finally {
                                if (out != null) {
                                        try {
                                                out.close();
                                        } catch (Exception e) {
-                                               throw new 
RuntimeException("ERROR:  Unable to close file stream for [" + keyStoreFileName 
+ "]", e);
+                                                throw new RuntimeException(
+                                                                "ERROR:  
Unable to close file stream for ["
+                                                                               
 + keyStoreFileName + "]", e);
                                        }
                                }
                        }
@@ -134,4 +162,20 @@ public class Ranger2JKSUtil {
            }
            return ret.toCharArray();
        }
+
+        private static void getFromJceks(Configuration conf, String path, 
String alias, String key) {
+
+        //update credential from keystore
+        if (conf != null) {
+            String pathValue = conf.get(path);
+            String aliasValue = conf.get(alias);
+            if (pathValue != null && aliasValue != null) {
+                String xaDBPassword = 
CredentialReader.getDecryptedString(pathValue.trim(), aliasValue.trim());
+                if (xaDBPassword != null && !xaDBPassword.trim().isEmpty() &&
+                        !xaDBPassword.trim().equalsIgnoreCase("none")) {
+                    conf.set(key, xaDBPassword);
+                }
+            }
+        }
+    }
 }
diff --git 
a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java 
b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java
index 267fcf0..448469b 100755
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStoreProvider.java
@@ -68,6 +68,13 @@ public class RangerKeyStoreProvider extends KeyProvider{
        private static final String HSM_ENABLED = "ranger.ks.hsm.enabled";
        private static final String HSM_PARTITION_PASSWORD_ALIAS = 
"ranger.ks.hsm.partition.password.alias";
        private static final String HSM_PARTITION_PASSWORD = 
"ranger.ks.hsm.partition.password";
+        private static final String KEYSECURE_ENABLED = 
"ranger.kms.keysecure.enabled";
+
+        private static final String KEYSECURE_USERNAME = 
"ranger.kms.keysecure.login.username";
+        private static final String KEYSECURE_PASSWORD_ALIAS = 
"ranger.kms.keysecure.login.password.alias";
+    private static final String KEYSECURE_PASSWORD = 
"ranger.kms.keysecure.login.password";
+    private static final String KEYSECURE_LOGIN = "ranger.kms.keysecure.login";
+
        
        private final RangerKeyStore dbStore;
        private char[] masterKey;
@@ -80,37 +87,68 @@ public class RangerKeyStoreProvider extends KeyProvider{
        public RangerKeyStoreProvider(Configuration conf) throws Throwable {
                super(conf);
                conf = getDBKSConf();
-               getFromJceks(conf,CREDENTIAL_PATH, MK_CREDENTIAL_ALIAS, 
ENCRYPTION_KEY);
-               getFromJceks(conf,CREDENTIAL_PATH, DB_CREDENTIAL_ALIAS, 
DB_PASSWORD);
-               getFromJceks(conf,CREDENTIAL_PATH, 
HSM_PARTITION_PASSWORD_ALIAS, HSM_PARTITION_PASSWORD);
+                getFromJceks(conf, CREDENTIAL_PATH, MK_CREDENTIAL_ALIAS, 
ENCRYPTION_KEY);
+                getFromJceks(conf, CREDENTIAL_PATH, DB_CREDENTIAL_ALIAS, 
DB_PASSWORD);
+                getFromJceks(conf, CREDENTIAL_PATH, 
HSM_PARTITION_PASSWORD_ALIAS,
+                                HSM_PARTITION_PASSWORD);
                RangerKMSDB rangerKMSDB = new RangerKMSDB(conf);
                daoManager = rangerKMSDB.getDaoManager();
-               
+
                RangerKMSMKI rangerMasterKey = null;
                String password = conf.get(ENCRYPTION_KEY);
-               if(password == null || password.trim().equals("") || 
password.trim().equals("_") || password.trim().equals("crypted")){
+                if (password == null || password.trim().equals("")
+                                || password.trim().equals("_")
+                                || password.trim().equals("crypted")) {
                        throw new IOException("Master Key Jceks does not 
exists");
                }
-               if(StringUtils.isEmpty(conf.get(HSM_ENABLED)) || 
conf.get(HSM_ENABLED).equalsIgnoreCase("false")){
+                if (StringUtils.isEmpty(conf.get(HSM_ENABLED))
+                                || 
conf.get(HSM_ENABLED).equalsIgnoreCase("false")) {
                        rangerMasterKey = new RangerMasterKey(daoManager);
-               }else{
+                } else {
                        rangerMasterKey = new RangerHSM(conf);
                        String partitionPasswd = 
conf.get(HSM_PARTITION_PASSWORD);
-                       if(partitionPasswd == null || 
partitionPasswd.trim().equals("") || partitionPasswd.trim().equals("_") || 
partitionPasswd.trim().equals("crypted")){
+                        if (partitionPasswd == null || 
partitionPasswd.trim().equals("")
+                                        || partitionPasswd.trim().equals("_")
+                                        || 
partitionPasswd.trim().equals("crypted")) {
                                throw new IOException("Partition Password 
doesn't exists");
                        }
                }
-               dbStore = new RangerKeyStore(daoManager);
-               rangerMasterKey.generateMasterKey(password);            
-               //code to retrieve rangerMasterKey password             
-               masterKey = 
rangerMasterKey.getMasterKey(password).toCharArray();
-               if(masterKey == null){
-                       // Master Key does not exists
-               throw new IOException("Ranger MasterKey does not exists");
+
+
+                if (conf != null && 
StringUtils.isNotEmpty(conf.get(KEYSECURE_ENABLED))
+                                && 
conf.get(KEYSECURE_ENABLED).equalsIgnoreCase("true")) {
+                        getFromJceks(conf, CREDENTIAL_PATH, 
KEYSECURE_PASSWORD_ALIAS, KEYSECURE_PASSWORD);
+                        String keySecureLoginCred = 
conf.get(KEYSECURE_USERNAME).trim() + ":" + conf.get(KEYSECURE_PASSWORD);
+                        conf.set(KEYSECURE_LOGIN, keySecureLoginCred);
+                        rangerMasterKey = new RangerSafenetKeySecure(conf);
+
+                        dbStore = new RangerKeyStore(daoManager);
+                        // generate master key on key secure server
+                        rangerMasterKey.generateMasterKey(password);
+                        try {
+                                masterKey = 
rangerMasterKey.getMasterKey(password)
+                                                .toCharArray();
+                        } catch (Exception ex) {
+                                throw new Exception("Error while getting 
Safenet KeySecure master key " + ex);
+                        }
+
+                }  else {
+                        dbStore = new RangerKeyStore(daoManager);
+                        rangerMasterKey.generateMasterKey(password);
+                        // code to retrieve rangerMasterKey password
+                        try {
+                                masterKey = 
rangerMasterKey.getMasterKey(password)
+                                                .toCharArray();
+                        } catch (Exception ex) {
+                                throw new Exception("Error while getting 
Ranger Master key " + ex);
+                        }
+
                }
-        reloadKeys();
+
+                reloadKeys();
                ReadWriteLock lock = new ReentrantReadWriteLock(true);
-           readLock = lock.readLock();
+                readLock = lock.readLock();
+
        }
 
        public static Configuration getDBKSConf() {
@@ -164,7 +202,7 @@ public class RangerKeyStoreProvider extends KeyProvider{
                throw new IOException("Wrong key length. Required " +
                    options.getBitLength() + ", but got " + (8 * 
material.length));
              }
-             cache.put(name, meta);
+                 cache.put(name, meta);
              String versionName = buildVersionName(name, 0);
              return innerSetKeyVersion(name, versionName, material, 
meta.getCipher(), meta.getBitLength(), meta.getDescription(), 
meta.getVersions(), meta.getAttributes());
        }
@@ -205,7 +243,8 @@ public class RangerKeyStoreProvider extends KeyProvider{
              } catch (KeyStoreException e) {
                throw new IOException("Problem removing " + name + " from " + 
this, e);
              }
-             cache.remove(name);
+                 cache.remove(name);
+
              changed = true;   
        }
 
@@ -236,7 +275,8 @@ public class RangerKeyStoreProvider extends KeyProvider{
                }       
              changed = false;
                 }catch (IOException ioe) {
-                         cache.clear();
+                                 cache.clear();
+
                          reloadKeys();
                  throw ioe;
             }          
@@ -245,37 +285,40 @@ public class RangerKeyStoreProvider extends KeyProvider{
        @Override
        public KeyVersion getKeyVersion(String versionName) throws IOException {
                readLock.lock();
-           try {
-               SecretKeySpec key = null;
-               try {
-                       if (!dbStore.engineContainsAlias(versionName)) {
-                               dbStore.engineLoad(null, masterKey);
-                               if (!dbStore.engineContainsAlias(versionName)) {
-                                       return null;
-                               }
+                try {
+                        SecretKeySpec key = null;
+                        try {
+                                if (!dbStore.engineContainsAlias(versionName)) 
{
+                                        dbStore.engineLoad(null, masterKey);
+                                        if 
(!dbStore.engineContainsAlias(versionName)) {
+                                                return null;
+                                        }
+                                }
+                                key = (SecretKeySpec) 
dbStore.engineGetKey(versionName,
+                                                masterKey);
+                        } catch (NoSuchAlgorithmException e) {
+
+                                throw new IOException("Can't get algorithm for 
key " + key, e);
+                        } catch (UnrecoverableKeyException e) {
+                                throw new IOException("Can't recover key " + 
key, e);
+                        } catch (CertificateException e) {
+                                throw new IOException("Certificate exception 
storing key", e);
                        }
-                       key = (SecretKeySpec) dbStore.engineGetKey(versionName, 
masterKey);
-               } catch (NoSuchAlgorithmException e) {
-                       throw new IOException("Can't get algorithm for key " + 
key, e);
-               } catch (UnrecoverableKeyException e) {
-                       throw new IOException("Can't recover key " + key, e);
-               }
-               catch (CertificateException e) {
-                       throw new IOException("Certificate exception storing 
key", e);
+                        if (key == null) {
+                                return null;
+                        } else {
+                                return new 
KeyVersion(getBaseName(versionName), versionName,
+                                                key.getEncoded());
+                        }
+                } finally {
+                        readLock.unlock();
                }
-               if (key == null) {
-                       return null;
-               } else {
-                       return new KeyVersion(getBaseName(versionName), 
versionName, key.getEncoded());
-               }
-           } finally {
-               readLock.unlock();
-           }
        }
 
        @Override
        public List<KeyVersion> getKeyVersions(String name) throws IOException {
                List<KeyVersion> list = new ArrayList<KeyVersion>();
+
            Metadata km = getMetadata(name);
            if (km != null) {
               int latestVersion = km.getVersions();
@@ -294,18 +337,18 @@ public class RangerKeyStoreProvider extends KeyProvider{
 
        @Override
        public List<String> getKeys() throws IOException {
-               ArrayList<String> list = new ArrayList<String>();
-               String alias = null;
-               reloadKeys();
-           Enumeration<String> e = dbStore.engineAliases();
-               while (e.hasMoreElements()) {
-                  alias = e.nextElement();
-                  // only include the metadata key names in the list of names
-                  if (!alias.contains("@")) {
-                      list.add(alias);
-                  }
-               }
-           return list;
+                        ArrayList<String> list = new ArrayList<String>();
+                        String alias = null;
+                        reloadKeys();
+                        Enumeration<String> e = dbStore.engineAliases();
+                        while (e.hasMoreElements()) {
+                                alias = e.nextElement();
+                                // only include the metadata key names in the 
list of names
+                                if (!alias.contains("@")) {
+                                        list.add(alias);
+                                }
+                        }
+                        return list;
        }
 
        @Override
@@ -326,7 +369,7 @@ public class RangerKeyStoreProvider extends KeyProvider{
                        Key key = dbStore.engineGetKey(name, masterKey);
                        if(key != null){
                                Metadata meta = ((KeyMetadata) key).metadata;
-                               cache.put(name, meta);
+                                       cache.put(name, meta);
                                return meta;
                        }
                } catch (NoSuchAlgorithmException e) {
@@ -347,6 +390,7 @@ public class RangerKeyStoreProvider extends KeyProvider{
        @Override
        public KeyVersion rollNewVersion(String name, byte[] material)throws 
IOException {
                reloadKeys();
+
                Metadata meta = getMetadata(name);
         if (meta == null) {
                throw new IOException("Key " + name + " not found");
@@ -378,8 +422,8 @@ public class RangerKeyStoreProvider extends KeyProvider{
 
     private void reloadKeys() throws IOException {
         try {
-               cache.clear();
-            loadKeys(masterKey);
+                                cache.clear();
+                                loadKeys(masterKey);
         } catch (NoSuchAlgorithmException e) {
             throw new IOException("Can't load Keys");
         }catch(CertificateException e){
diff --git 
a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java 
b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java
index 5614c16..c0910a4 100755
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java
@@ -131,6 +131,17 @@ public class RangerMasterKey implements RangerKMSMKI{
                return getMasterKeyFromBytes(masterKeyFromDBDecrypted);         
        }
 
+        public boolean generateMKFromKeySecureMK(String password, byte[] key) 
throws Throwable{
+                logger.info("Generating Master Key");
+                String encryptedMasterKey = encryptMasterKey(password, key);
+                String savedKey = saveEncryptedMK(encryptedMasterKey, 
daoManager);
+                if(savedKey != null && !savedKey.trim().equals("")){
+                        logger.debug("Master Key Created with id = "+savedKey);
+                        return true;
+                }
+                return false;
+        }
+
        private byte[] getEncryptedMK() throws Base64DecodingException {
                logger.debug("Retrieving Encrypted Master Key from database");
                try{
diff --git 
a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java 
b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java
new file mode 100644
index 0000000..70ec504
--- /dev/null
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java
@@ -0,0 +1,156 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.crypto.key;
+
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.log4j.Logger;
+
+import com.sun.org.apache.xml.internal.security.utils.Base64;
+
+import java.io.IOException;
+import java.security.Key;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.Provider;
+import java.security.Security;
+import java.security.cert.CertificateException;
+
+/**
+ * This Class is for HSM Keystore
+ */
+public class RangerSafenetKeySecure implements RangerKMSMKI {
+
+        static final Logger logger = 
Logger.getLogger(RangerSafenetKeySecure.class);
+
+        private final String alias;
+        private final KeyStore myStore;
+        private final String adp;
+        private final Provider provider;
+        private static final String MK_ALGO = "AES";
+        private final int mkSize;
+        private static final int MK_KeySize = 256;
+        private String pkcs11CfgFilePath = null;
+        private static final String CFGFILEPATH = 
"ranger.kms.keysecure.sunpkcs11.cfg.filepath";
+        private static final String MK_KEYSIZE = 
"ranger.kms.keysecure.masterkey.size";
+        private static final String ALIAS = 
"ranger.kms.keysecure.masterkey.name";
+
+        private static final String KEYSECURE_LOGIN = 
"ranger.kms.keysecure.login";
+
+        public RangerSafenetKeySecure(Configuration conf) throws 
KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
+                mkSize = conf.getInt(MK_KEYSIZE, MK_KeySize);
+                alias = conf.get(ALIAS, "RANGERMK");
+                adp = conf.get(KEYSECURE_LOGIN);
+                pkcs11CfgFilePath = conf.get(CFGFILEPATH);
+
+                try {
+                        // Create a PKCS#11 session and initialize it
+                        // using the sunPKCS11 config file
+                        provider = new 
sun.security.pkcs11.SunPKCS11(pkcs11CfgFilePath);
+                        Security.addProvider(provider);
+                        myStore = KeyStore.getInstance("PKCS11", provider);
+                        if(myStore != null){
+                                myStore.load(null, adp.toCharArray());
+                        }else{
+                                logger.error("Safenet Keysecure not found. 
Please verify the Ranger KMS Safenet Keysecure configuration setup.");
+                        }
+
+                } catch (NoSuchAlgorithmException nsae) {
+                        throw new NoSuchAlgorithmException("Unexpected 
NoSuchAlgorithmException while loading keystore : "
+                                        + nsae.getMessage());
+                } catch (CertificateException e) {
+                        throw new CertificateException("Unexpected 
CertificateException while loading keystore : "
+                                        + e.getMessage());
+                } catch (IOException e) {
+                        throw new IOException("Unexpected IOException while 
loading keystore : "
+                                        + e.getMessage());
+                }
+        }
+
+        @Override
+        public boolean generateMasterKey(String password){
+                if (myStore != null) {
+                        KeyGenerator keyGen = null;
+                        SecretKey aesKey = null;
+                        try {
+                                boolean result = myStore.containsAlias(alias);
+
+                                if (!result) {
+                                        keyGen = 
KeyGenerator.getInstance(MK_ALGO, provider);
+
+
+                                        keyGen.init(mkSize);
+
+                                        aesKey = keyGen.generateKey();
+                                        myStore.setKeyEntry(alias, aesKey, 
password.toCharArray(),
+                                                        
(java.security.cert.Certificate[]) null);
+                                        return true;
+                                } else {
+                                        return true;
+                                }
+
+                        } catch (Exception e) {
+                                logger.error("generateMasterKey : Exception 
during Ranger Master Key Generation - "
+                                                + e);
+                                return false;
+                        }
+                }
+                return false;
+        }
+
+        @Override
+        public String getMasterKey(String password) {
+                if (myStore != null) {
+                        try {
+                                boolean result = myStore.containsAlias(alias);
+                                if (result) {
+                                        SecretKey key = (SecretKey) 
myStore.getKey(alias,
+                                                        
password.toCharArray());
+                                        if (key != null) {
+                                                return 
Base64.encode(key.getEncoded());
+                                        }
+
+                                }
+                        } catch (Exception e) {
+                                logger.error("getMasterKey : Exception 
searching for Ranger Master Key - "
+                                                + e.getMessage());
+                        }
+                }
+                return null;
+        }
+
+        public boolean setMasterKey(String password, byte[] key, Configuration 
conf) {
+                if (myStore != null) {
+                        try {
+                                Key aesKey = new SecretKeySpec(key, MK_ALGO);
+                                myStore.setKeyEntry(alias, aesKey, 
password.toCharArray(),
+                                                
(java.security.cert.Certificate[]) null);
+                                return true;
+                        } catch (Exception e) {
+                                logger.error("setMasterKey : Exception while 
setting Master Key - "
+                                                + e.getMessage());
+                        }
+                }
+                return false;
+        }
+
+}
\ No newline at end of file
diff --git a/src/main/assembly/kms.xml b/src/main/assembly/kms.xml
index fca6a32..c156fe3 100755
--- a/src/main/assembly/kms.xml
+++ b/src/main/assembly/kms.xml
@@ -317,6 +317,8 @@
                        <include>exportKeysToJCEKS.sh</include>
                        <include>HSMMK2DB.sh</include>
                        <include>DBMK2HSM.sh</include>
+                        <include>DBMKTOKEYSECURE.sh</include>
+                        <include>KEYSECUREMKTOKMSDB.sh</include>
                </includes>
                <fileMode>544</fileMode>
        </fileSet>

Reply via email to