Installing Key Trustee Server using Cloudera Manager

If you are installing Navigator Key Trustee Server (KTS) for use with HDFS Transparent Encryption, the Set up HDFS Data At Rest Encryption wizard installs and configures KTS.

Navigator KTS works on Python 2.7. RHEL9 does not support Python 2.7 and the corresponding Python 2.7 packages including virtualenv. You need to install Python 2.7 in the specified location which will be used by KTS. Do not change the paths mentioned in the following steps as the paths are hardcoded and any change might result in failure. This is required only for the KTS cluster and not for CDP cluster where other services are installed.

Install Crontabs manually as they are not present in RHEL 9 by default:
```
dnf install -y crontabs
```
Install the zlib package before installing Python 2.7:
```
dnf install zlib-devel
```
note
In addition, you must install all necessary Linux packages before installing Python 2.7. If you face any missing Python package error during KTS installation, like ImportError: No module named zlib, then after installing the necessary Linux packages, reinstall Python 2.7, so that the necessary Python packages are included in the Python installation.

Execute the following command to install Python 2.7:

mkdir /usr/local/custom_py_2.7.16
wget http://www.python.org/ftp/python/2.7.16/Python-2.7.16.tar.xz
xz -df Python-2.7.16.tar.xz
tar -xvf Python-2.7.16.tar
cd Python-2.7.16
./configure --prefix=/usr/local/custom_py_2.7.16 --with-threads
make
make install
cd ..

(Recommended) Create a new cluster in Cloudera Manager containing only the host that Key Trustee Server will be installed on. Cloudera recommends that each cluster use its own KTS instance. Although sharing a single KTS across clusters is technically possible, it is neither approved nor supported for security reasons—specifically, the increased security risks associated with single point of failure for encryption keys used by multiple clusters. For a better understanding of additional security reasons for this recommendation, see Data at Rest Encryption Reference Architecture.

important
The Add Cluster wizard prompts you to install Runtime and other cluster services. To exit the wizard without installing Runtime, select a version of Runtime to install and continue. When the installation begins, click the Cloudera Manager logo in the upper left corner and confirm you want to exit the wizard. This allows you to create the dedicated cluster with the Key Trustee Server hosts without installing Runtime or other services that are not required for Key Trustee Server.
Download the latest Key Trustee Server parcel from the Cloudera.com/downloads page. From CDP Private Cloud Base 7.1.6, the KEYTRUSTEE_SERVER parcel is available in the same location in which the Cloudera runtime parcel is placed. If you have configured the parcel repository for CDP Private Cloud Base upgrade, the KEYTRUSTEE_SERVER parcel is displayed automatically.
Follow the steps in Using a Local Parcel Repository to register the local parcel with Cloudera Manager.
On the Key Trustee Server cluster home page, click the More Options (ellipsis) icon, then click Add Service.
Select Key Trustee Server, then click Continue.
Use the Add Key Trustee Server Service wizard to install Key Trustee Server.
Key Trustee Server appears in the cluster components list.

After installing Key Trustee Server using Cloudera Manager, continue to Securing Key Trustee Server Host.