[note: this document was prepared after reading to cloudera website.]
Using this tutorial i will explain about " Cloudera Navigator Key Trustee Server (KTS).
Cloudera Navigator is a fully integrated data-management and security system for the Hadoop platform. Cloudera Navigator provides the following functionality:
(here i will be explaining about 'KTS' under 'Data Encryption')
- Data Management
- Data Encryption : Enabling HDFS encryption using Key Trustee Server as the key store involves multiple components.
⦁ Cloudera Navigator Key Trustee Server
⦁ Cloudera Navigator Key HSM
⦁ Cloudera Navigator Encrypt
⦁ Key Trustee KMS
Reference : http://www.cloudera.com/documentation/enterprise/5-8-x/topics/navigator_encryption.html#concept_w4l_yjv_jt
Using this tutorial i will explain about " Cloudera Navigator Key Trustee Server (KTS).
Cloudera Navigator is a fully integrated data-management and security system for the Hadoop platform. Cloudera Navigator provides the following functionality:
(here i will be explaining about 'KTS' under 'Data Encryption')
- Data Management
- Data Encryption : Enabling HDFS encryption using Key Trustee Server as the key store involves multiple components.
⦁ Cloudera Navigator Key Trustee Server
⦁ Cloudera Navigator Key HSM
⦁ Cloudera Navigator Encrypt
⦁ Key Trustee KMS
Reference : http://www.cloudera.com/documentation/enterprise/5-8-x/topics/navigator_encryption.html#concept_w4l_yjv_jt
Resource Planning for Data at Rest Encryption:
For high availability, you must provision two dedicated Key Trustee Server hosts and at least two dedicated Key Trustee KMS hosts, for a minimum of four separate hosts. Do not run multiple Key Trustee Server or Key Trustee KMS services on the same physical host, and do not run these services on hosts with other cluster services. Doing so causes resource contention with other important cluster services and defeats the purpose of high availability.
The Key Trustee KMS workload is CPU intensive. Cloudera recommends using machines with capabilities equivalent to your NameNode hosts, with Intel CPUs that support AES-NI for optimum performance.
Make sure that each host is secured and audited. Only authorized key administrators should have access to them. refer following links to secure redhat OS...
For Cloudera Manager deployments, deploy Key Trustee Server in its own dedicated cluster. Deploy Key Trustee KMS in each cluster that uses Key Trustee Server.
Reference: http://www.cloudera.com/documentation/enterprise/5-8-x/topics/encryption_resource_planning.html#concept_cg3_rfp_y5
Virtual Machine Considerations
If you are using virtual machines, make sure that the resources (such as virtual disks, CPU, and memory) for each Key Trustee Server and Key Trustee KMS host are allocated to separate physical hosts. Hosting multiple services on the same physical host defeats the purpose of high availability, because a single machine failure can take down multiple services.
⦁ You can restart your EDH cluster without restarting Key Trustee Server, avoiding interruption to other clusters or clients that use the same Key Trustee Server instance.
⦁ You can manage the Key Trustee Server upgrade cycle independently of other cluster components.
⦁ You can limit access to the Key Trustee Server hosts to authorized key administrators only, reducing the attack surface of the system.
⦁ Resource contention is reduced. Running Key Trustee Server and Key Trustee KMS services on dedicated hosts prevents other cluster services from reducing available resources (such as CPU and memory) and creating bottlenecks.
reference : http://www.cloudera.com/documentation/enterprise/5-8-x/topics/encryption_ref_arch.html#concept_npk_rxh_1v
++++
Deployment Planning for Data at Rest Encryption
⦁ Data at Rest Encryption Reference Architecture (explained above)
⦁ Data at Rest Encryption Requirements
⦁ Resource Planning for Data at Rest Encryption (explained above)
Data at Rest Encryption Requirements ( http://www.cloudera.com/documentation/enterprise/5-8-x/topics/encryption_prereqs.html#concept_sbn_zt4_y5 )
Encryption comprises several components, each with its own requirements. See Cloudera Navigator Data Encryption Overview for more information on the components, concepts, and architecture for encrypting data at rest. Continue reading:
⦁ Product Compatibility Matrix ( http://www.cloudera.com/documentation/enterprise/5-8-x/topics/rn_consolidated_pcm.html#pcm_navigator_encryption )
⦁ Entropy Requirements
⦁ Key Trustee Server Requirements
⦁ Key Trustee KMS Requirements
⦁ Key HSM Requirements
⦁ Navigator Encrypt Requirements
++++
You can install Navigator Key Trustee Server using Cloudera Manager with parcels or using the command line with packages.
Prerequisites: See Data at Rest Encryption Requirements for more information about encryption and Key Trustee Server requirements.
Setting Up an Internal Repository:
You must create an internal repository to install or upgrade the Cloudera Navigator data encryption components. For instructions on creating internal repositories (including Cloudera Manager, CDH, and Cloudera Navigator encryption components), see the following topics:
⦁ Creating and Using a Remote Parcel Repository for Cloudera Manager
⦁ Creating and Using a Package Repository for Cloudera Manager
If you are using virtual machines, make sure that the resources (such as virtual disks, CPU, and memory) for each Key Trustee Server and Key Trustee KMS host are allocated to separate physical hosts. Hosting multiple services on the same physical host defeats the purpose of high availability, because a single machine failure can take down multiple services.
Data at Rest Encryption Reference Architecture
To isolate Key Trustee Server from other Enterprise Data Hub (EDH) services, you must deploy Key Trustee Server on dedicated hosts in a separate cluster in Cloudera Manager. Deploy Key Trustee KMS on dedicated hosts in the same cluster as the EDH services that require access to Key Trustee Server. This provides the following benefits:
⦁ You can manage the Key Trustee Server upgrade cycle independently of other cluster components.
⦁ You can limit access to the Key Trustee Server hosts to authorized key administrators only, reducing the attack surface of the system.
⦁ Resource contention is reduced. Running Key Trustee Server and Key Trustee KMS services on dedicated hosts prevents other cluster services from reducing available resources (such as CPU and memory) and creating bottlenecks.
reference : http://www.cloudera.com/documentation/enterprise/5-8-x/topics/encryption_ref_arch.html#concept_npk_rxh_1v
Installing Cloudera Navigator Key Trustee Server
Important: Before installing Cloudera Navigator Key Trustee Server, see Deployment Planning for Data at Rest Encryption for important considerations.++++
Deployment Planning for Data at Rest Encryption
⦁ Data at Rest Encryption Reference Architecture (explained above)
⦁ Data at Rest Encryption Requirements
⦁ Resource Planning for Data at Rest Encryption (explained above)
Data at Rest Encryption Requirements ( http://www.cloudera.com/documentation/enterprise/5-8-x/topics/encryption_prereqs.html#concept_sbn_zt4_y5 )
Encryption comprises several components, each with its own requirements. See Cloudera Navigator Data Encryption Overview for more information on the components, concepts, and architecture for encrypting data at rest. Continue reading:
⦁ Product Compatibility Matrix ( http://www.cloudera.com/documentation/enterprise/5-8-x/topics/rn_consolidated_pcm.html#pcm_navigator_encryption )
⦁ Entropy Requirements
⦁ Key Trustee Server Requirements
⦁ Key Trustee KMS Requirements
⦁ Key HSM Requirements
⦁ Navigator Encrypt Requirements
++++
You can install Navigator Key Trustee Server using Cloudera Manager with parcels or using the command line with packages.
Prerequisites: See Data at Rest Encryption Requirements for more information about encryption and Key Trustee Server requirements.
Setting Up an Internal Repository:
You must create an internal repository to install or upgrade the Cloudera Navigator data encryption components. For instructions on creating internal repositories (including Cloudera Manager, CDH, and Cloudera Navigator encryption components), see the following topics:
⦁ Creating and Using a Remote Parcel Repository for Cloudera Manager
⦁ Creating and Using a Package Repository for Cloudera Manager
It is nice blog Thank you porovide importent information and i am searching for same information to save my timeHadoop Admin Online Course Hyderabad
ReplyDeletereally Good blog post.provided a helpful information.I hope that you will post more updates like thisHadoop Admin Online Course Bangalore
ReplyDelete