Product Compatibility Matrix for KTS and Key HSM

Learn about the recommended hardware and supported distributions for Key Trustee Server and Navigator Key HSM.

Key Trustee Server

Because of a change in the ports used by Key Trustee Server, Navigator Encrypt versions lower than 3.7 and Ranger KMS versions lower than 5.4 are not supported in Key Trustee Server 5.4 and higher.

Recommended Hardware and Supported Distributions

Key Trustee Server must be installed on a dedicated server or virtual machine (VM) that is not used for any other purpose. The backing PostgreSQL database must be installed on the same host as the Key Trustee Server, and must not be shared with any other services. For high availability, the active and passive Key Trustee Servers must not share physical resources.

The recommended minimum hardware specifications are as follows:

Processor: 1 GHz 64-bit quad core
Memory: 8 GB RAM
Storage: 20 GB on moderate- to high-performance disk drives

Table 1. Cloudera Navigator Key Trustee Server Compatibility Matrix
Cloudera Navigator Key Trustee Server Version	Supported Operating Systems	Lowest Supported Cloudera Manager Version	Lowest Supported Cloudera Navigator Key HSM Versions	Supported Ranger KMS Versions	Supported Cloudera Navigator Encrypt Versions
7.1.9	RHEL and CentOS: 8.8, 8.8 with FIPS, 8.6, 8.4, 8.2, 7.9, 7.8, 7.7, 7.6, 7.5, 7.4, 7.3, 7.2, 6.10, 6.9, 6.8 Oracle Linux: 7.5, 7.4, 7.3, 7.2, 6.10, 6.9, 6.8	7.x	7.x	7.x	7.x
7.x	RHEL and CentOS: 8.6, 8.4, 8.2, 7.9, 7.8, 7.7, 7.6, 7.5, 7.4, 7.3, 7.2, 6.10, 6.9, 6.8 ( RHEL and CentOS 8.6 is supported only for 7.1.8) ( RHEL and CentOS 8.4 , 8.2 are supported only for versions 7.1.7 and higher.) Oracle Linux:** 7.5, 7.4, 7.3, 7.2, 6.10, 6.9, 6.8	7.x	7.x	7.x	7.x

Cloudera Navigator Key HSM

Cloudera Navigator Key HSM must be installed on the same host as Key Trustee Server. Although Key HSM is compatible across all versions of Key Trustee Server, Cloudera strongly recommends also upgrading Key HSM after you upgrade Key Trustee Server. See Installing Cloudera Navigator Key HSM and Upgrading Cloudera Navigator Key HSM for more information.

Recommended Hardware and Supported Distributions

The following are prerequisites for installing Navigator Key HSM:

Oracle Java Runtime Environment (JRE) 8 or higher with Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files:
- JCE for Java SE 8
  note
  JDK 1.8u161 and higher enable unlimited strength encryption by default, and do not require policy files.
- OpenJDK 11
  note
  The Thales JCE libraries do not support Java 11, so running Key HSM with Thales on OpenJDK 11 is unsupported.
A supported HSM device:
- Thales (formerly Safenet) Luna
  - v6
    - HSM firmware version: 6.2.1
    - HSM software version: 5.2.3-1
  - v7
    - HSM firmware version: 7.0.3
    - HSM software version: 7.2.0
- SafeNet KeySecure
  - HSM firmware version: 6.2.1
  - HSM software version: 8.0.1, 8.1.0, 8.7.0
- Thales nSolo, nConnect
  - HSM firmware version: 11.4.0
  - Client software version: 2.28.9cam136
  note
  Thales Key HSM is unsupported because the Thales client Java libraries do not support Java 11.
- AWS CloudHSM
  - Client software version: 1.1.1
Key Trustee Server 3.8 or higher
important
You must install Key HSM on the same host as Key Trustee Server.

Root access is required to install Navigator Key HSM.

Table 2. Cloudera Navigator Key HSM Compatibility Matrix
Cloudera Navigator Key HSM Version	Supported Operating Systems	Lowest Supported Key Trustee Server Version
7.x	RHEL and CentOS: 8.6, 8.4, 8.2, 7.9, 7.6, 7.5, 7.4, 7.3, 7.2, 6.10, 6.9, 6.8 ( RHEL and CentOS 8.6 is supported only for 7.1.8) (** RHEL and CentOS 8.4 , 8.2 are supported only for versions 7.1.7 and higher.)	7.x