Key Trustee Server System Requirements
Recommended Hardware and Supported Distributions
Key Trustee Server must be installed on a dedicated server or virtual machine (VM) that is not used for any other purpose. The backing PostgreSQL database must be installed on the same host as the Key Trustee Server, and must not be shared with any other services. For high availability, the active and passive Key Trustee Servers must not share physical resources.
The recommended minimum hardware specifications are as follows:
- Processor: 1 GHz 64-bit quad core
- Memory: 8 GB RAM
- Storage: 20 GB on moderate- to high-performance disk drives
Cloudera Manager Requirements
Installing and managing Key Trustee Server using Cloudera Manager requires Cloudera Manager 7.0.0 and higher. Key Trustee Server does not require Cloudera Navigator Audit Server or Metadata Server.
umask Requirements
Key Trustee Server installation requires the default umask
of
0022
.
Network Requirements
For new Key Trustee Server installations (5.4.0 and higher) and migrated upgrades, Key Trustee Server requires the following TCP ports to be opened for inbound traffic:
- 11371
Clients connect to this port over HTTPS.
- 11381 (PostgreSQL)
The passive Key Trustee Server connects to this port for database replication.
For upgrades that are not migrated to the CherryPy web server, the pre-upgrade port settings are preserved:
- 80
Clients connect to this port over HTTP to obtain the Key Trustee Server public key.
- 443 (HTTPS)
Clients connect to this port over HTTPS.
- 5432 (PostgreSQL)
The passive Key Trustee Server connects to this port for database replication.
TLS Certificate Requirements
To ensure secure network traffic, Cloudera recommends obtaining Transport Layer Security (TLS) certificates specific to the hostname of your Key Trustee Server. To obtain the certificate, generate a Certificate Signing Request (CSR) for the fully qualified domain name (FQDN) of the Key Trustee Server host. The CSR must be signed by a trusted Certificate Authority (CA). After the certificate has been verified and signed by the CA, the Key Trustee Server TLS configuration requires:
- The CA-signed certificate
- The private key used to generate the original CSR
- The intermediate certificate/chain file (provided by the CA)
Cloudera recommends not using self-signed certificates. If you use self-signed
certificates, you must use the --skip-ssl-check
parameter when registering
Navigator Encrypt with the Key Trustee Server. This skips TLS hostname validation, which
safeguards against certain network-level attacks.