Securing Key Trustee Server Host
Cloudera strongly recommends securing the Key Trustee Server host to protect against unauthorized access to Key Trustee Server. Red Hat provides security guides for RHEL 7.
Cloudera also recommends configuring the Key Trustee Server host to allow network communication only over certain ports.
You can use the following examples to create
iptablesrules for an EDH cluster. Add any other ports required by your environment, subject to your organization security policies. Note that in this example port 5432 is the database port for the Key Trustee database on legacy machines (prior to release 5.5). Port 11371 is the current port on which Key Trustee communicates, and port 11381 is the database port. Exercise caution if blocking other ports, as this can cause a disruption in service.
# Flush iptables iptables -F iptables -X # Allow unlimited traffic on loopback (localhost) connection iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Allow established, related connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Open all Cloudera Manager ports to allow Key Trustee Server to work properly iptables -A INPUT -p tcp -m tcp --dport 5432 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 11371 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 11381 -j ACCEPT # Drop all other connections iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP # Save iptables rules so that they're loaded if the system is restarted sed 's/IPTABLES_SAVE_ON_STOP="no"/IPTABLES_SAVE_ON_STOP="yes"/' -i /etc/sysconfig/iptables-config sed 's/IPTABLES_SAVE_ON_RESTART="no"/IPTABLES_SAVE_ON_RESTART="yes"/' -i /etc/sysconfig/iptables-config