Installing Cloudera Navigator Key Trustee Server

You can install Navigator Key Trustee Server using Cloudera Manager with parcels and a Custom Service Descriptor (CSD) or using the command line with packages. See Parcels for more information on parcels, and Custom Service Descriptor Files for more information on CSDs.


See Data at Rest Encryption Requirements for more information about encryption and Key Trustee Server requirements.

Installing Key Trustee Server

Installing Key Trustee Server Using Cloudera Manager

  1. (Recommended) Create a new cluster in Cloudera Manager containing only the hosts Key Trustee Server will be installed on. Cloudera strongly recommends installing Key Trustee Server in a dedicated cluster to enable multiple clusters to share the same Key Trustee Server and to avoid restarting the Key Trustee Server when restarting a cluster. See Adding and Deleting Clusters for instructions on how to create a new cluster in Cloudera Manager.
  2. Download the Key Trustee Server CSD from the following location:

    Replace <username> and <password> with your credentials. If you do not know your credentials, contact your Cloudera account team.

  3. Install the CSD into Cloudera Manager as instructed in Custom Service Descriptor Files. The CSD can only be installed on parcel-deployed clusters.
  4. Add the following parcel repository to Cloudera Manager following the instructions in Configuring Cloudera Manager Server Parcel Settings:

    Replace <username> and <password> with your credentials. If you do not know your credentials, contact Cloudera Support or your Cloudera account team.

  5. Download, distribute, and activate the Key Trustee Server parcel on the cluster containing the Key Trustee Server host, following the instructions in Managing Parcels. After you activate the Key Trustee Server parcel, Cloudera Manager prompts you to restart the cluster. Click the Close button to ignore this prompt. You do not need to restart the cluster after installing Key Trustee Server.

After installing Key Trustee Server using Cloudera Manager, continue to Securing Key Trustee Server Host.

Installing Key Trustee Server Using the Command Line

  1. Install the EPEL Repository
    Dependent packages are available through the Extra Packages for Enterprise Linux (EPEL) repository. To install the EPEL repository, install the epel-release package:
    1. Copy the URL for the epel-release-<version>.noarch file for RHEL 6 located in the How can I use these extra packages? section of the EPEL wiki page.
    2. Run the following commands to install the EPEL repository:
      $ sudo wget <epel_rpm_url>
      $ sudo yum install epel-release-<version>.noarch.rpm

      Replace <version> with the version number of the downloaded RPM (for example, 6-8).

    If the epel-release package is already installed, you see a message similar to the following:
    Examining /var/tmp/yum-root-jmZhL0/epel-release-6-8.noarch.rpm: epel-release-6-8.noarch
    /var/tmp/yum-root-jmZhL0/epel-release-6-8.noarch.rpm: does not update installed package.
    Error: Nothing to do
    Confirm that the EPEL repository is installed:
    $ sudo yum repolist | grep -i epel
  2. Install the PostgreSQL 9.3 Repository
    To install the PostgreSQL 9.3 repository, run the following command:
    $ sudo yum install
  3. Install the Cloudera Repository
    Create or edit the /etc/yum.repos.d/gazzang.repo file (for example, sudo vi /etc/yum.repos.d/gazzang.repo) and add the following text. Replace USER and PASSWD with the username and password provided by Cloudera. If you do not know your username or password, contact your Cloudera account team.
    name=RHEL $releasever - - base
    Import the GPG key by running the following command:
    $ sudo rpm --import
  4. Install NTP
    The Network Time Protocol (NTP) service synchronizes system time. Cloudera recommends using NTP to ensure that timestamps in system logs, cryptographic signatures, and other auditable events are consistent across systems. Install and start NTP with the following commands:
    $ sudo yum install ntp
    $ sudo service ntpd start
  5. Install Key Trustee Server
    Run the following command to install the Key Trustee Server:
    $ sudo yum install keytrustee-server

    Installing the Key Trustee Server also installs required dependencies, including PostgreSQL 9.3. After the installation completes, confirm that the PostgreSQL version is 9.3 by running the command createuser -V.

  6. Configure Services to Start at Boot
    Ensure that ntpd and keytrusteed start automatically at boot:
    $ sudo chkconfig --level 235 ntpd on
    $ sudo chkconfig --level 235 keytrusteed on

    The chkconfig command provides no output if successful.

    After installing Key Trustee Server, continue to Securing Key Trustee Server Host.

Securing Key Trustee Server Host

Cloudera strongly recommends securing the Key Trustee Server host to protect against unauthorized access to Key Trustee Server. Red Hat provides a security guide for RHEL: Cloudera also recommends configuring the Key Trustee Server host to allow network communication only over certain ports.
You can use the following examples to create iptables rules for an EDH cluster. Add any other ports required by your environment, subject to your organization security policies. Note that in this example port 5432 is the database port for the Key Trustee database on legacy machines (prior to release 5.5). Port 11371 is the current port on which Key Trustee communicates, and port 11381 is the database port. Exercise caution if blocking other ports, as this can cause a disruption in service. See Ports Used by Cloudera Manager and Cloudera Navigator for details about ports used with the Key Trustee Server.
# Flush iptables
iptables -F
iptables -X

# Allow unlimited traffic on loopback (localhost) connection
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow established, related connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Open all Cloudera Manager ports to allow Key Trustee Server to work properly

iptables -A INPUT -p tcp -m tcp --dport 5432 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 11371 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 11381 -j ACCEPT

# Drop all other connections
iptables -P INPUT DROP
iptables -P FORWARD DROP

# Save iptables rules so that they're loaded if the system is restarted
sed 's/IPTABLES_SAVE_ON_STOP="no"/IPTABLES_SAVE_ON_STOP="yes"/' -i /etc/sysconfig/iptables-config
sed 's/IPTABLES_SAVE_ON_RESTART="no"/IPTABLES_SAVE_ON_RESTART="yes"/' -i /etc/sysconfig/iptables-config

Leveraging Native Processor Instruction Sets


The Advanced Encryption Standard New Instructions (AES-NI) instruction set is designed to improve the speed of encryption and decryption using AES. Some newer processors come with AES-NI, which can be enabled on a per-server basis. If you are uncertain whether AES-NI is available on a device, run the following command to verify:
$ grep -o aes /proc/cpuinfo
To determine whether the AES-NI kernel module is loaded, run the following command:
$ sudo lsmod | grep aesni

If the CPU supports AES-NI but the kernel module is not loaded, see your operating system documentation for instructions on installing the aesni-intel module.


The Intel RDRAND instruction set, along with its underlying Digital Random Number Generator (DRNG), is useful for generating keys for cryptographic protocols without using haveged.

To determine whether the CPU supports RDRAND, run the following command:
$ grep -o rdrand /proc/cpuinfo
To enable RDRAND, install rng-tools version 4 or higher:
  1. Download the source code:
    $ sudo wget
  2. Extract the source code:
    tar xvfz rng-tools-4.tar.gz
  3. Enter the rng-tools-4 directory:
    $ cd rng-tools-4
  4. Run ./configure.
  5. Run make.
  6. Run make install.
Start rngd with the following command:
$ sudo rngd --no-tpm=1 -o /dev/random

Initializing Key Trustee Server

After installing Key Trustee Server, you must initialize it before it is operational. Continue to Initializing Standalone Key Trustee Server or Cloudera Navigator Key Trustee Server High Availability for instructions.