Product Compatibility Matrix for Cloudera Navigator Encryption

Cloudera Navigator encryption comprises several components.

See below for the individual compatibility matrices for each component:

Cloudera Navigator Key Trustee Server

Because of a change in the ports used by Key Trustee Server, Navigator Encrypt versions lower than 3.7 and Key Trustee KMS versions lower than 5.4 are not supported in Key Trustee Server 5.4 and higher.

Key Trustee Server: Recommended Hardware and Supported Distributions

Recommended Hardware and Supported Distributions

Key Trustee Server must be installed on a dedicated server or virtual machine (VM) that is not used for any other purpose. The backing PostgreSQL database must be installed on the same host as the Key Trustee Server, and must not be shared with any other services. For high availability, the active and passive Key Trustee Servers must not share physical resources.

The recommended minimum hardware specifications are as follows:

  • Processor: 1 GHz 64-bit quad core
  • Memory: 8 GB RAM
  • Storage: 20 GB on moderate- to high-performance disk drives
Table 1. Cloudera Navigator Key Trustee Server Compatibility Matrix
Cloudera Navigator Key Trustee Server Version Supported Operating Systems Lowest Supported Cloudera Manager Version Lowest Supported Cloudera Navigator Key HSM Versions Supported Ranger KMS Versions Supported Cloudera Navigator Encrypt Versions
7.x
  • RHEL and CentOS: 7.9, 7.8, 7.6, 7.5, 7.4, 7.3, 7.2, 6.10, 6.9, 6.8
  • Oracle Linux: 7.5, 7.4, 7.3, 7.2, 6.10, 6.9, 6.8
7.x 7.x 7.x 7.x
6.1.x
  • RHEL and CentOS: 7.9, 7.8, 7.6, 7.5, 7.4, 7.3, 7.2, 6.10, 6.9, 6.8
  • Oracle Linux: 7.5, 7.4, 7.3, 7.2, 6.10, 6.9, 6.8
6.1.x 6.1.x N/A 6.0.x, 6.1.x
6.0.x
  • RHEL and CentOS: 7.6, 7.5, 7.4, 7.3, 7.2, 6.9, 6.8
  • Oracle Linux: 7.4, 7.3, 7.2, 6.9, 6.8
6.0.x 6.0.x N/A 6.0.x

Ranger KMS

Ranger KMS can be installed with either Key Trustee Server or a separate database as the backing keystore.

Ranger KMS: Recommended Hardware and Supported Distributions

Recommended Hardware and Supported Distributions

Ranger KMS with Key Trustee Server must be installed on a separate host than Key Trustee Server.

The recommended minimum hardware specifications are as follows:

  • Processor: 1 GHz 64-bit quad core
  • Memory: 8 GB RAM
  • Storage: 20 GB on moderate- to high-performance disk drives
Table 2. Ranger KMS Compatibility Matrix
Ranger KMS Version Supported Operating Systems Supported Key Trustee Server Versions Lowest Supported Cloudera Manager Version Supported CDH Versions
7.x
  • RHEL and CentOS: 7.9, 7.8, 7.6, 7.5, 7.4, 7.3, 7.2, 6.10, 6.9, 6.8
  • Oracle Linux: 7.5, 7.4, 7.3, 7.2, 6.10, 6.9, 6.8
7.x 7.x 7.x

Cloudera Navigator HSM KMS

Navigator HSM KMS: Recommended Hardware and Supported Distributions

The recommended minimum hardware specifications are as follows:

  • Processor: 2 GHz 64-bit quad core
  • Memory: 16 GB RAM
  • Storage: 40 GB on moderate- to high-performance disk drives

Supported HSM devices:

  • SafeNet Luna
    • HSM software version: 6.2.2-5
    • HSM firmware version: 6.10.9
    • Client: 6.2.2
  • Thales nSolo, nConnect
    • Server version: 3.67.11cam4
    • Firmware: 2.65.2
    • Security World Version: 12.30
Table 3. HSM KMS Compatibility Matrix
HSM KMS Version Supported Operating Systems Lowest Supported Cloudera Manager Version Supported CDH Versions
6.3.x
  • RHEL and CentOS: 7.6, 7.5, 7.4, 7.3, 7.2, 6.10, 6.9, 6.8
6.3.x 6.3.x, 6.2.x, 6.1.x, 6.0.x
6.2.x
  • RHEL and CentOS: 7.6, 7.5, 7.4, 7.3, 7.2, 6.10, 6.9, 6.8
6.2.x 6.2.x, 6.1.x, 6.0.x
6.1.x
  • RHEL and CentOS: 7.6, 7.5, 7.4, 7.3, 7.2, 6.10, 6.9, 6.8
6.1.x 6.1.x, 6.0.x
6.0.x
  • RHEL and CentOS: 7.5, 7.4, 7.3, 7.2, 6.9, 6.8
6.0.x 6.0.x

Cloudera Navigator Key HSM

Cloudera Navigator Key HSM must be installed on the same host as Key Trustee Server. Although Key HSM is compatible across all versions of Key Trustee Server, Cloudera strongly recommends also upgrading Key HSM after you upgrade Key Trustee Server. See Installing Cloudera Navigator Key HSM and Upgrading Cloudera Navigator Key HSM for more information.

Key HSM: Recommended Hardware and Supported Distributions

The following are prerequisites for installing Navigator Key HSM:

  • Oracle Java Runtime Environment (JRE) 8 or higher with Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files:
    • JCE for Java SE 8
    • OpenJDK 11
  • A supported HSM device:
    • Thales (formerly Safenet) Luna
      • v6
        • HSM firmware version: 6.2.1
        • HSM software version: 5.2.3-1
      • v7
        • HSM firmware version: 7.0.3
        • HSM software version: 7.2.0
    • SafeNet KeySecure
      • HSM firmware version: 6.2.1
      • HSM software version: 8.0.1, 8.1.0, 8.7.0
    • Thales nSolo, nConnect
      • HSM firmware version: 11.4.0
      • Client software version: 2.28.9cam136
    • AWS CloudHSM
      • Client software version: 1.1.1
  • Key Trustee Server 3.8 or higher

Root access is required to install Navigator Key HSM.

Table 4. Cloudera Navigator Key HSM Compatibility Matrix
Cloudera Navigator Key HSM Version Supported Operating Systems Lowest Supported Key Trustee Server Version
7.x
  • RHEL and CentOS: 7.6, 7.5, 7.4, 7.3, 7.2, 6.10, 6.9, 6.8
7.x
6.3.x
  • RHEL and CentOS: 7.6, 7.5, 7.4, 7.3, 7.2, 6.10, 6.9, 6.8
6.1.x, 6.0.x
6.1.x
  • RHEL and CentOS: 7.6, 7.5, 7.4, 7.3, 7.2, 6.10, 6.9, 6.8
6.1.x, 6.0.x
6.0.x
  • RHEL and CentOS: 7.6, 7.5, 7.4, 7.3, 7.2, 6.9, 6.8
6.0.x

Cloudera Navigator Encrypt

Supported command-line interpreters:

  • sh (Bourne)
  • bash (Bash)
  • dash (Ubuntu)

Network Requirements

For new Navigator Key Trustee Server installations, Navigator Encrypt initiates TCP traffic over port 11371 (HTTPS) to the Key Trustee Server.

For upgrades, Navigator Encrypt initiates TCP traffic over ports 80 (HTTP) and 443 (HTTPS) to the Navigator Key Trustee Server.

Internet Access

You must have an active connection to the Internet to download many package dependencies, unless you have internal repositories or mirrors containing the dependent packages.

Maintenance Window

Data is not accessible during the encryption process. Plan for system downtime during installation and configuration.

Administrative Access

To enforce a high level of security, all Navigator Encrypt commands require administrative (root) access (including installation and configuration). If you do not have administrative privileges on your server, contact your system administrator before proceeding.

Package Dependencies

Navigator Encrypt requires these packages, which are resolved by your distribution package manager during installation:

  • dkms
  • keyutils
  • ecryptfs-utils
  • libkeytrustee
  • navencrypt-kernel-module
  • openssl
  • lsof
  • gcc
  • cryptsetup

These packages may have other dependencies that are also resolved by your package manager. Installation works with gcc, gcc3, and gcc4.

Table 5. Cloudera Navigator Encrypt Compatibility Matrix
Cloudera Navigator Encrypt Version Supported Operating Systems Supported Key Trustee Server Versions
7.x
  • RHEL and CentOS: 7.8*, 7.7*, 7.6, 7.5, 7.4, 7.3, 7.2, 6.10, 6.9, 6.8
  • Oracle Linux:7.7*, 7.6, 7.5, 7.4, 7.3, 7.2, 6.10, 6.9, 6.8
  • SLES: 12 SP2, SP3, SP4
  • Ubuntu: 16.04 LTS (Xenial), 18 (Bionic)
7.x
6.2.x
  • RHEL and CentOS: 7.8*, 7.7*, 7.6, 7.5, 7.4, 7.3, 7.2, 6.10, 6.9, 6.8
  • Oracle Linux:7.7*, 7.6, 7.5, 7.4, 7.3, 7.2, 6.10, 6.9, 6.8
  • SLES: 12 SP2, SP3
  • Ubuntu: 16.04 LTS (Xenial), 18 (Bionic)

6.2.x, 6.1.x, 6.0.x

* Navigator Encrypt 6.2.1 only

6.1.x
  • RHEL and CentOS: 7.5, 7.4, 7.3, 7.2, 6.10, 6.9, 6.8
  • Oracle Linux: 7.5, 7.4, 7.3, 7.2, 6.10, 6.9, 6.8
  • SLES: 12 SP2, SP3
  • Ubuntu: 16.04 LTS (Xenial)
6.1.x, 6.0.x
6.0.x
  • RHEL and CentOS: 7.5, 7.4, 7.3, 7.2, 6.9, 6.8
  • Oracle Linux: 7.4, 7.3, 7.2, 6.9, 6.8
  • SLES: 12 SP2, SP3
  • Ubuntu: 16.04 LTS (Xenial)
6.0.x

HSM Support

Table 6. CDP Private Cloud Base 7.x
Luna v6 Luna v7 SafeNet KeySecure nCipher nSolo/nConnect AWS CloudHSM
Ranger KMS

HSM Software Version: 6.1.0-5

HSM Firmware: 6.23.0

Luna Client: 6.1

Key HSM

HSM firmware version: 6.2.1

HSM software version: 5.2.3-1

HSM firmware version: 7.0.3

HSM software version: 7.2.0

HSM firmware version: 6.2.1

HSM software version: 8.0.1, 8.1.0, 8.7.0

HSM firmware version: 11.4.0

Client software version: 2.28.9cam136

Client software version: 1.1.1
HSM KMS Service deprecated N/A N/A N/A N/A
Table 7. CDH 6.3
Luna v6 Luna v7 SafeNet KeySecure nCipher nSolo/nConnect AWS CloudHSM
Key HSM

HSM firmware version: 6.2.1

HSM software version: 5.2.3-1

HSM firmware version: 7.0.3

HSM software version: 7.2.0

HSM firmware version: 6.2.1

HSM software version: 8.0.1, 8.1.0, 8.7.0

HSM firmware version: 11.4.0

Client software version: 2.28.9cam136

Client software version: 1.1.1
HSM KMS

HSM software version: 6.2.2-5

HSM firmware version: 6.10.9

Client: 6.2.2

Server version: 3.67.11cam4

Firmware: 2.65.2

Security World Version: 12.30
Table 8. HDP 3.1
Luna v6 Luna v7 SafeNet KeySecure nCipher nSolo/nConnect AWS CloudHSM
Ranger KMS

HSM Software Version: 5.3.5-1

HSM Firmware: 6.10.9

Luna Client: 5.3.0-11

HSM Software Version: 6.1.0-5

HSM Firmware: 6.23.0

Luna Client: 6.1

Table 9. HDP 2.6.5
Luna v6 Luna v7 SafeNet KeySecure nCipher nSolo/nConnect AWS CloudHSM
Ranger KMS

HSM Software Version: 6.1.0-5

HSM Firmware: 6.23.0

Luna Client: 6.1