Installing Cloudera Navigator Key Trustee Server
You can install Navigator Key Trustee Server using Cloudera Manager with parcels or using the command line with packages. See Parcels for more information on parcels.
See Data at Rest Encryption Requirements for more information about encryption and Key Trustee Server requirements.
Setting Up an Internal Repository
Installing Key Trustee Server
Installing Key Trustee Server Using Cloudera Manager
If you are installing Key Trustee Server for use with HDFS Transparent Encryption, the Set up HDFS Data At Rest Encryption wizard installs and configures Key Trustee Server. See Enabling HDFS Encryption Using the Wizard for instructions.
- (Recommended) Create a new cluster in Cloudera Manager containing only the host that Key Trustee Server will be installed on. Cloudera recommends that each cluster use its own KTS instance. Although sharing a single KTS across clusters is technically possible, it is neither approved nor supported for security reasons—specifically, the increased security risks associated with single point of failure for encryption keys used by multiple clusters. See Adding and Deleting Clusters for instructions on how to create a new cluster in Cloudera Manager.
- Add the internal parcel repository you created in Setting Up an Internal Repository to Cloudera Manager following the instructions in Configuring Cloudera Manager Server Parcel Settings.
- Download, distribute, and activate the Key Trustee Server parcel on the cluster containing the Key Trustee Server host, following the instructions in Managing Parcels. After you activate the Key Trustee Server parcel, Cloudera Manager prompts you to restart the cluster. Click the Close button to ignore this prompt. You do not need to restart the cluster after installing Key Trustee Server.
After installing Key Trustee Server using Cloudera Manager, continue to Securing Key Trustee Server Host.
Installing Key Trustee Server Using the Command Line
- Install the EPEL Repository
Dependent packages are available through the Extra Packages for Enterprise Linux (EPEL) repository. To install the EPEL repository, install the epel-release package:
If the epel-release package is already installed, you see a message similar to the following:
- Copy the URL for the epel-release-<version>.noarch file for RHEL 6 or RHEL 7 located in the How can I use these extra packages? section of the EPEL wiki page.
- Run the following commands to install the EPEL repository:
$ sudo wget <epel_rpm_url> $ sudo yum install epel-release-<version>.noarch.rpm
Replace <version> with the version number of the downloaded RPM (for example, 6-8).
Examining /var/tmp/yum-root-jmZhL0/epel-release-6-8.noarch.rpm: epel-release-6-8.noarch /var/tmp/yum-root-jmZhL0/epel-release-6-8.noarch.rpm: does not update installed package. Error: Nothing to doConfirm that the EPEL repository is installed:
$ sudo yum repolist | grep -i epel
- (RHEL 7 Only) Enable the extras Repository
Key Trustee Server requires the python-flask package. For RHEL 6, this package is provided in the EPEL repository. For RHEL 7, it is provided in the RHEL extras repository. To enable this repository, run the following command:
$ sudo subscription-manager repos --enable=rhel-7-server-extras-rpms
- Install the PostgreSQL 9.3 Repository
To install the PostgreSQL 9.3 repository, run the following command:
$ sudo yum install http://yum.postgresql.org/9.3/redhat/rhel-6-x86_64/pgdg-redhat93-9.3-3.noarch.rpm
- Install the Cloudera Repository
Add the internal repository you created. See Modifying Clients to Find the Repository for more information.Import the GPG key by running the following command:
$ sudo rpm --import http://repo.example.com/path/to/RPM-GPG-KEY-cloudera
- Install the CDH Repository
Key Trustee Server and Key HSM depend on the bigtop-utils package, which is included in the CDH repository. For instructions on adding the CDH repository, see To add the CDH repository. To create a local CDH repository, see Creating a Local Yum Repository for instructions.
- Install NTP
The Network Time Protocol (NTP) service synchronizes system time. Cloudera recommends using NTP to ensure that timestamps in system logs, cryptographic signatures, and other auditable events are consistent across systems. Install and start NTP with the following commands:
$ sudo yum install ntp $ sudo service ntpd start ## For RHEL/CentOS 7, use 'sudo systemctl start ntpd' instead ##
- Install Key Trustee Server
Run the following command to install the Key Trustee Server:
$ sudo yum install keytrustee-server
Installing the Key Trustee Server also installs required dependencies, including PostgreSQL 9.3. After the installation completes, confirm that the PostgreSQL version is 9.3 by running the command createuser -V.
- Configure Services to Start at Boot
Ensure that ntpd, keytrustee-db, and keytrusteed start automatically at boot:
$ sudo chkconfig ntpd on $ sudo chkconfig keytrustee-db on $ sudo chkconfig keytrusteed on
The chkconfig command provides no output if successful.
After installing Key Trustee Server, continue to Securing Key Trustee Server Host.
Securing Key Trustee Server Host
Cloudera strongly recommends securing the Key Trustee Server host to protect against unauthorized access to Key Trustee Server. Red Hat provides security guides for RHEL:
Cloudera also recommends configuring the Key Trustee Server host to allow network communication only over certain ports.
# Flush iptables iptables -F iptables -X # Allow unlimited traffic on loopback (localhost) connection iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Allow established, related connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Open all Cloudera Manager ports to allow Key Trustee Server to work properly iptables -A INPUT -p tcp -m tcp --dport 5432 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 11371 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 11381 -j ACCEPT # Drop all other connections iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP # Save iptables rules so that they're loaded if the system is restarted sed 's/IPTABLES_SAVE_ON_STOP="no"/IPTABLES_SAVE_ON_STOP="yes"/' -i /etc/sysconfig/iptables-config sed 's/IPTABLES_SAVE_ON_RESTART="no"/IPTABLES_SAVE_ON_RESTART="yes"/' -i /etc/sysconfig/iptables-config
Leveraging Native Processor Instruction Sets
$ grep -o aes /proc/cpuinfo
$ sudo lsmod | grep aesni
If the CPU supports AES-NI but the kernel module is not loaded, see your operating system documentation for instructions on installing the aesni-intel module.
The Intel RDRAND instruction set, along with its underlying Digital Random Number Generator (DRNG), is useful for generating keys for cryptographic protocols without using haveged.
$ grep -o rdrand /proc/cpuinfo
- Download the source code:
$ sudo wget http://downloads.sourceforge.net/project/gkernel/rng-tools/4/rng-tools-4.tar.gz
- Extract the source code:
tar xvfz rng-tools-4.tar.gz
- Enter the rng-tools-4 directory:
$ cd rng-tools-4
- Run ./configure.
- Run make.
- Run make install.
$ sudo rngd --no-tpm=1 -o /dev/random
Initializing Key Trustee Server
After installing Key Trustee Server, you must initialize it before it is operational. Continue to Initializing Standalone Key Trustee Server or Cloudera Navigator Key Trustee Server High Availability for instructions.