This is the documentation for Cloudera Enterprise 5.8.x. Documentation for other versions is available at Cloudera Documentation.

Installing Cloudera Navigator Key Trustee Server

  Important: Before installing Cloudera Navigator Key Trustee Server, see Deployment Planning for Data at Rest Encryption for important considerations.

You can install Navigator Key Trustee Server using Cloudera Manager with parcels or using the command line with packages. See Parcels for more information on parcels.

  Note: If you are using or planning to use Key Trustee Server in conjunction with a CDH cluster, Cloudera strongly recommends using Cloudera Manager to install and manage Key Trustee Server to take advantage of Cloudera Manager's robust deployment, management, and monitoring capabilities.

Prerequisites

See Data at Rest Encryption Requirements for more information about encryption and Key Trustee Server requirements.

Setting Up an Internal Repository

You must create an internal repository to install or upgrade the Cloudera Navigator data encryption components. For instructions on creating internal repositories (including Cloudera Manager, CDH, and Cloudera Navigator encryption components), see the following topics:

Installing Key Trustee Server

  Important: This feature is available only with a Cloudera Enterprise license. It is not available in Cloudera Express. For information on Cloudera Enterprise licenses, see Managing Licenses.

Installing Key Trustee Server Using Cloudera Manager

  Note: These instructions apply to using Cloudera Manager only. To install Key Trustee Server using packages, skip to Installing Key Trustee Server Using the Command Line.

If you are installing Key Trustee Server for use with HDFS Transparent Encryption, the Set up HDFS Data At Rest Encryption wizard installs and configures Key Trustee Server. See Enabling HDFS Encryption Using the Wizard for instructions.

  1. (Recommended) Create a new cluster in Cloudera Manager containing only the hosts Key Trustee Server will be installed on. Cloudera strongly recommends installing Key Trustee Server in a dedicated cluster to enable multiple clusters to share the same Key Trustee Server and to avoid restarting the Key Trustee Server when restarting a cluster. See Adding and Deleting Clusters for instructions on how to create a new cluster in Cloudera Manager.
      Important: The Add Cluster wizard prompts you to install CDH and other cluster services. To exit the wizard without installing CDH, select a version of CDH to install and continue. When the installation begins, click the Cloudera Manager logo in the upper left corner and confirm you want to exit the wizard. This allows you to create the dedicated cluster with the Key Trustee Server hosts without installing CDH or other services that are not required for Key Trustee Server.
  2. Add the internal parcel repository you created in Setting Up an Internal Repository to Cloudera Manager following the instructions in Configuring Cloudera Manager Server Parcel Settings.
  3. Download, distribute, and activate the Key Trustee Server parcel on the cluster containing the Key Trustee Server host, following the instructions in Managing Parcels.
      Important: The KEYTRUSTEE parcel in Cloudera Manager is not the Key Trustee Server parcel; it is the Key Trustee KMS parcel. The parcel name for Key Trustee Server is KEYTRUSTEE_SERVER.
    After you activate the Key Trustee Server parcel, Cloudera Manager prompts you to restart the cluster. Click the Close button to ignore this prompt. You do not need to restart the cluster after installing Key Trustee Server.

After installing Key Trustee Server using Cloudera Manager, continue to Securing Key Trustee Server Host.

Installing Key Trustee Server Using the Command Line

  Note: These instructions apply to package-based installations using the command line only. To install Key Trustee Server using Cloudera Manager, see Installing Key Trustee Server Using Cloudera Manager.

If you are using or planning to use Key Trustee Server in conjunction with a CDH cluster, Cloudera strongly recommends using Cloudera Manager to install and manage Key Trustee Server to take advantage of Cloudera Manager's robust deployment, management, and monitoring capabilities.

  1. Install the EPEL Repository
    Dependent packages are available through the Extra Packages for Enterprise Linux (EPEL) repository. To install the EPEL repository, install the epel-release package:
    1. Copy the URL for the epel-release-<version>.noarch located at the bottom of the EPEL 6 page.
    2. Run the following commands to install the EPEL repository:
      $ sudo wget <epel_rpm_url>
      $ sudo yum install epel-release-<version>.noarch.rpm

      Replace <version> with the version number of the downloaded RPM (for example, 6-8).

    If the epel-release package is already installed, you see a message similar to the following:
    Examining /var/tmp/yum-root-jmZhL0/epel-release-6-8.noarch.rpm: epel-release-6-8.noarch
    /var/tmp/yum-root-jmZhL0/epel-release-6-8.noarch.rpm: does not update installed package.
    Error: Nothing to do
    
    Confirm that the EPEL repository is installed:
    $ sudo yum repolist | grep -i epel
  2. (RHEL 7 Only) Enable the extras Repository
    Key Trustee Server requires the python-flask package. For RHEL 6, this package is provided in the EPEL repository. For RHEL 7, it is provided in the RHEL extras repository. To enable this repository, run the following command:
    $ sudo subscription-manager repos --enable=rhel-7-server-extras-rpms
  3. Install the PostgreSQL 9.3 Repository
      Note: Cloudera Navigator Key Trustee Server currently supports only PostgreSQL version 9.3. If you have a different version of PostgreSQL installed on the Key Trustee Server host, remove it before proceeding or select a different host on which to install Key Trustee Server.
    To install the PostgreSQL 9.3 repository, run the following command:
    $ sudo yum install http://yum.postgresql.org/9.3/redhat/rhel-6-x86_64/pgdg-redhat93-9.3-1.noarch.rpm
      Important: If you are using CentOS, add the following line to the CentOS base repository:
    exclude=python-psycopg2*
    By default, the base repository is located at /etc/yum.repos.d/CentOS-Base.repo. If you have an internal mirror of the base repository, update the correct file for your environment.
  4. Install the Cloudera Repository

    Add the internal repository you created. See Modifying Clients to Find the Repository for more information.

    Import the GPG key by running the following command:
    $ sudo rpm --import http://repo.example.com/path/to/RPM-GPG-KEY-cloudera
  5. Install the CDH Repository

    Key Trustee Server and Key HSM depend on the bigtop-utils package, which is included in the CDH repository. For instructions on adding the CDH repository, see To add the CDH repository. To create a local CDH repository, see Creating a Local Yum Repository for instructions.

  6. Install NTP
    The Network Time Protocol (NTP) service synchronizes system time. Cloudera recommends using NTP to ensure that timestamps in system logs, cryptographic signatures, and other auditable events are consistent across systems. Install and start NTP with the following commands:
    $ sudo yum install ntp
    $ sudo service ntpd start
    ## For RHEL/CentOS 7, use 'sudo systemctl start ntpd' instead ##
  7. Install Key Trustee Server
    Run the following command to install the Key Trustee Server:
    $ sudo yum install keytrustee-server

    Installing the Key Trustee Server also installs required dependencies, including PostgreSQL 9.3. After the installation completes, confirm that the PostgreSQL version is 9.3 by running the command createuser -V.

  8. Configure Services to Start at Boot
    Ensure that ntpd, keytrustee-db, and keytrusteed start automatically at boot:
    $ sudo chkconfig ntpd on
    $ sudo chkconfig keytrustee-db on
    $ sudo chkconfig keytrusteed on

    The chkconfig command provides no output if successful.

      Note: The /etc/init.d/postgresql script does not work when the PostgreSQL database is started by Key Trustee Server, and cannot be used to monitor the status of the database. Use /etc/init.d/keytrustee-db instead.

    After installing Key Trustee Server, continue to Securing Key Trustee Server Host.

Securing Key Trustee Server Host

Cloudera strongly recommends securing the Key Trustee Server host to protect against unauthorized access to Key Trustee Server. Red Hat provides security guides for RHEL:

Cloudera also recommends configuring the Key Trustee Server host to allow network communication only over certain ports. See Ports for more information about the ports used by Cloudera Manager and CDH. You can use the following examples to create iptables rules for an EDH cluster. Add any other ports required by your environment, subject to your organization security policies.
# Flush iptables
iptables -F
iptables -X

# Allow unlimited traffic on loopback (localhost) connection
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow established, related connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Open all Cloudera Manager and CDH ports to allow Key Trustee Server to work properly

iptables -A INPUT -p tcp -m tcp --dport 4867 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 5432 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 5678 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 7180 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 7180 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 7182 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 7183 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 7184 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 7185 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 7186 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 7187 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 7432 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8020 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8083 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8084 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8086 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8087 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8091 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 9000 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 9001 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 9994 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 9995 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 9996 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 9997 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 9998 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 9999 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 10101 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 11371 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 11381 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 19001 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 50010 -j ACCEPT

# Drop all other connections
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# Save iptables rules so that they're loaded if the system is restarted
sed 's/IPTABLES_SAVE_ON_STOP="no"/IPTABLES_SAVE_ON_STOP="yes"/' -i /etc/sysconfig/iptables-config
sed 's/IPTABLES_SAVE_ON_RESTART="no"/IPTABLES_SAVE_ON_RESTART="yes"/' -i /etc/sysconfig/iptables-config

Leveraging Native Processor Instruction Sets

AES-NI

The Advanced Encryption Standard New Instructions (AES-NI) instruction set is designed to improve the speed of encryption and decryption using AES. Some newer processors come with AES-NI, which can be enabled on a per-server basis. If you are uncertain whether AES-NI is available on a device, run the following command to verify:
$ grep -o aes /proc/cpuinfo
To determine whether the AES-NI kernel module is loaded, run the following command:
$ sudo lsmod | grep aesni

If the CPU supports AES-NI but the kernel module is not loaded, see your operating system documentation for instructions on installing the aesni-intel module.

Intel RDRAND

The Intel RDRAND instruction set, along with its underlying Digital Random Number Generator (DRNG), is useful for generating keys for cryptographic protocols without using haveged.

To determine whether the CPU supports RDRAND, run the following command:
$ grep -o rdrand /proc/cpuinfo
To enable RDRAND, install rng-tools version 4 or higher:
  1. Download the source code:
    $ sudo wget http://downloads.sourceforge.net/project/gkernel/rng-tools/4/rng-tools-4.tar.gz
  2. Extract the source code:
    tar xvfz rng-tools-4.tar.gz
  3. Enter the rng-tools-4 directory:
    $ cd rng-tools-4
  4. Run ./configure.
  5. Run make.
  6. Run make install.
Start rngd with the following command:
$ sudo rngd --no-tpm=1 -o /dev/random

Initializing Key Trustee Server

After installing Key Trustee Server, you must initialize it before it is operational. Continue to Initializing Standalone Key Trustee Server or Cloudera Navigator Key Trustee Server High Availability for instructions.

Page generated July 8, 2016.