Initializing Standalone Key Trustee Server

If you are configuring high availability Key Trustee Server, skip this step and proceed to Cloudera Navigator Key Trustee Server High Availability. Cloudera strongly recommends configuring high availability for Key Trustee Server.

Initializing Standalone Key Trustee Server Using Cloudera Manager

For new installations, use the Set up HDFS Data At Rest Encryption wizard and follow the instructions in Enabling HDFS Encryption Using the Wizard. When prompted, deselect the Enable High Availability option to proceed in standalone mode.

To set up Key Trustee Server manually, add the Key Trustee Server service to your cluster, following the instructions in Adding a Service. When customizing role assignments, assign only the Active Key Trustee Server and Active Database roles.

For parcel-based Key Trustee Server releases 5.8 and higher, Cloudera Manager automatically backs up Key Trustee Server (using the ktbackup.sh script) after adding the Key Trustee Server service. It also schedules automatic backups using cron. For package-based installations, you must manually back up Key Trustee Server and configure a cron job.

Cloudera Manager configures cron to run the backup script hourly. The latest 10 backups are retained in /var/lib/keytrustee in cleartext. For information about using the backup script and configuring the cron job (including how to encrypt backups), see Backing Up Key Trustee Server and Key Trustee KMS Using the ktbackup.sh Script.

Initializing Standalone Key Trustee Server Using the Command Line

To initialize a standalone Key Trustee Server, run the following commands on the Key Trustee Server:
$ sudo ktadmin init --external-address keytrustee.example.com
$ sudo ktadmin db --bootstrap --port 11381 --pg-rootdir /var/lib/keytrustee/db
## For RHEL/CentOS 7, use 'sudo systemctl [stop|start] <service_name>' instead of 'sudo service <service_name> [stop|start]' ##
$ sudo service keytrustee-db stop
$ sudo service keytrustee-db start
$ sudo service keytrusteed start
$ sudo chkconfig keytrustee-db on
$ sudo chkconfig keytrusteed on

Replace keytrustee.example.com with the fully qualified domain name (FQDN) of the Key Trustee Server. Cloudera recommends using the default /var/lib/keytrustee/db directory for the PostgreSQL database.

To use a different port for the database, modify the ktadmin init and ktadmin db commands as follows:

$ sudo ktadmin init --external-address keytrustee.example.com --db-connect postgresql://localhost:<port>/keytrustee?host=/tmp
$ sudo ktadmin db --bootstrap --port <port> --pg-rootdir /var/lib/keytrustee/db
If you specify a database directory other than /var/lib/keytrustee/db, create or edit the /etc/sysconfig/keytrustee-db file and add the following line:
ARGS="--pg-rootdir /path/to/db"

The ktadmin init command initializes the Key Trustee configuration directory (/var/lib/keytrustee/.keytrustee by default) and generates a self-signed certificate that Key Trustee Server uses for HTTPS communication.

The ktadmin db --bootstrap command initializes the database in the directory specified by the --pg-rootdir parameter.

The sudo service keytrustee-db stop and sudo service keytrustee-db start commands restart the Key Trustee Server database.

The sudo service keytrusteed start command starts Key Trustee Server.

(Optional) Replace Self-Signed Certificate with CA-Signed Certificate

If you have a CA-signed certificate for Key Trustee Server, see Managing Key Trustee Server Certificates for instructions on how to replace the self-signed certificate.

Specifying TLS/SSL Minimum Allowed Version and Ciphers

Depending on your cluster configuration and the security practices in your organization, you might need to restrict the allowed versions of TLS/SSL used by Key Trustee Server. Older TLS/SSL versions might have vulnerabilities or lack certain features.

Specify one of the following values using the Minimum TLS Support configuration setting:

  • tlsv1: Allow any TLS version of 1.0 or higher. This setting is the default when TLS/SSL is enabled.

  • tlsv1.1: Allow any TLS version of 1.1 or higher.

  • tlsv1.2: Allow any TLS version of 1.2 or higher.

Along with specifying the version, you can also specify the allowed set of TLS ciphers using the Supported Cipher Configuration for SSL configuration setting. The argument to this option is a list of keywords, separated by colons, commas, or spaces, and optionally including other notation.
AES256:CAMELLIA256-SHA

By default, the cipher list is empty, and Key Trustee Server uses the default cipher list for the underlying platform. See the output of man ciphers for the full set of keywords and notation allowed in the argument string.