Navigator Key Trustee Server 5.7.0
Key Management for Compliance and Information Security
Enterprise-grade key management, storing keys for HDFS encryption and Navigator Encrypt. Required prerequisite for all 3 of the related encryption downloads.
This software is available to enterprise customers who are licensed for Navigator use.
- System Requirements
- What's New
- Documentation
System Requirements
Key Trustee Server Requirements
Recommended Hardware and Supported Distributions
Cloudera recommends that the Key Trustee Server be installed on a dedicated server or virtual machine (VM) that is not used for any other purpose. The backing PostgreSQL database must be installed on the same host as the Key Trustee Server, and must not be shared with any other services. For high availability, the active and passive Key Trustee Servers must not share physical resources. See Resource Planning for Data at Rest Encryption for more information.
The recommended minimum hardware specifications are as follows:
- Processor: 1 GHz 64-bit quad core
- Memory: 8 GB RAM
- Storage: 20 GB on moderate- to high-performance disk drives
Key Trustee Server supports the following Linux distributions:
- RHEL and CentOS: 6.4, 6.5, 6.6, 6.7, 7.1, 7.2
Cloudera Manager Requirements
Installing and managing Key Trustee Server using Cloudera Manager requires Cloudera Manager 5.4.0 and higher. Key Trustee Server does not require Cloudera Navigator Audit Server or Metadata Server.
SELinux Requirements
SELinux must be disabled for Key Trustee installation and operation. Modify /etc/selinux/config to set SELINUX=disabled and reboot the system for the change to take effect.
umask Requirements
Key Trustee Server installation requires the default umask of 0022.
Network Requirements
For new Key Trustee Server installations (5.4.0 and higher) and migrated upgrades (see Migrate Apache Web Server to CherryPy for more information), Key Trustee Server requires the following TCP ports to be opened for inbound traffic:
- 11371
Clients connect to this port over HTTPS.
- 11381 (PostgreSQL)
The passive Key Trustee Server connects to this port for database replication.
For upgrades that are not migrated to the CherryPy web server, the pre-upgrade port settings are preserved:
- 80
Clients connect to this port over HTTP to obtain the Key Trustee Server public key.
- 443 (HTTPS)
Clients connect to this port over HTTPS.
- 5432 (PostgreSQL)
The passive Key Trustee Server connects to this port for database replication.
TLS Certificate Requirements
To ensure secure network traffic, Cloudera recommends obtaining Transport Layer Security (TLS) certificates specific to the hostname of your Key Trustee Server. To obtain the certificate, generate a Certificate Signing Request (CSR) for the fully qualified domain name (FQDN) of the Key Trustee Server host. The CSR must be signed by a trusted Certificate Authority (CA). After the certificate has been verified and signed by the CA, the Key Trustee Server TLS configuration requires:
- The CA-signed certificate
- The private key used to generate the original CSR
- The intermediate certificate/chain file (provided by the CA)
Cloudera recommends not using self-signed certificates. If you use self-signed certificates, you must use the --skip-ssl-check parameter when registering Navigator Encrypt with the Key Trustee Server. This skips TLS hostname validation, which safeguards against certain network-level attacks. For more information regarding insecure mode, see Registration Options.
What's New
What's New in Cloudera Navigator Key Trustee Server 5.7.0
- A backup script (ktbackup.sh) is included with Key Trustee Server. See Backing Up and Restoring Key Trustee Server and Clients for more information.
- Parcel-based Key Trustee Server logs an error message at startup if the keytrustee.conf file is malformed.
- Error logging is improved for connection and certificate errors with Key Trustee Server connecting to Key HSM.
Issues Fixed in Cloudera Navigator Key Trustee Server 5.7.0
Email messages from Key Trustee Server use hostname instead of fully qualified domain name
Email sent from Key Trustee Server includes a link that uses the Key Trustee Server short name instead of the fully qualified domain name.
Host Inspector displays the wrong version of Key Trustee Server
Host Inspector displays the wrong Key Trustee Server version, showing the Key Trustee KMS version instead.
Key Trustee Server supports weak RC4 ciphers for TLS
Key Trustee Server supports weak RC4 ciphers for TLS connections, potentially allowing clients to negotiate a weaker connection.
The ktadmin keyhsm command fails with M2Crypto error
Running the ktadmin keyhsm --server https://khsm01.example.com:9090 --trust command fails with the following error:
M2Crypto.X509.X509Error: 140405990356800:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: CERTIFICATE
Documentation
Related Downloads
Navigator Encrypt
Connects HDFS Encryption to Navigator Key Trustee Server for production-ready key storage.
Navigator Key Trustee KMS
Connects HDFS Encryption to Navigator Key Trustee Server for production-ready key storage.
Navigator Key HSM
Integrates Navigator Key Trustee to existing Hardware Security Modules (HSMs), providing an (optional) additional layer of security.
Want to Get Involved or Learn More?
Check out our other resources
Cloudera Community
Collaborate with your peers, industry experts, and Clouderans to make the most of your investment in Hadoop.
Cloudera Educational Services
Receive expert Hadoop training through Cloudera Educational Services, the industry's only truly dynamic Hadoop training curriculum that’s updated regularly to reflect the state of the art in big data.