Securing Key Trustee Server Host
Cloudera strongly recommends securing the Key Trustee Server host to protect against unauthorized access to Key Trustee Server. Red Hat provides security guides for RHEL 7.
Cloudera also recommends configuring the Key Trustee Server host to allow network communication only over certain ports.
You can use the following examples to create
iptables rules for an EDH
cluster. Add any other ports required by your environment, subject to your organization
security policies. Note that in this example port 5432 is the database port for the Key
Trustee database on legacy machines (prior to release 5.5). Port 11371 is the current port on
which Key Trustee communicates, and port 11381 is the database port. Exercise caution if
blocking other ports, as this can cause a disruption in
service.# Flush iptables
iptables -F
iptables -X
# Allow unlimited traffic on loopback (localhost) connection
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow established, related connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Open all Cloudera Manager ports to allow Key Trustee Server to work properly
iptables -A INPUT -p tcp -m tcp --dport 5432 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 11371 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 11381 -j ACCEPT
# Drop all other connections
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# Save iptables rules so that they're loaded if the system is restarted
sed 's/IPTABLES_SAVE_ON_STOP="no"/IPTABLES_SAVE_ON_STOP="yes"/' -i /etc/sysconfig/iptables-config
sed 's/IPTABLES_SAVE_ON_RESTART="no"/IPTABLES_SAVE_ON_RESTART="yes"/' -i /etc/sysconfig/iptables-config