Requirements
Hardware Requirements
CipherTrust Manager
DDC is only supported when running CipherTrust Manager as a Virtual Machine. The CipherTrust Manager VM has the following requirements:
RAM: 16 GB minimum, recommended 64 GB
CPU: 4 cores. It is recommended to add extra cores if the average CPU usage is above 50% or CPU load is above 80% for extended periods of time.
Disk space: at least 256 GB
Agent requirements
Each concurrent DDC scan requires one core and typically less than 1 GB of RAM. Agents do not launch concurrent Local Storage scans. When running Local scans Linux agents require a minimum of 1 core and 1 GB of RAM and Windows agents require 2 cores and 4 GB of RAM.
The above requirements only take the DDC scanning agent requirements into account. The operating system requires additional resources, usually 1-2 cores and 2-4 GB of RAM, and consider the requirements of the other services.
Please note that an agent running in a server can behave as a Local proxy for scanning this server and as a Proxy agent to scan other Data Stores, so you should monitor the agent resource consumption while the scans are running if needed.
Software Requirements
Agents for Debian require Debian kernel versions 3.x and higher.
Ports Used for Communication
This section provides a list of ports that should allow communication among agents, data stores, and DDC. Firewalls should be configured to allow this communication.
The following table lists the ports that are used by agents to connect to data stores:
Initiator | Receiver | Protocol | Port(s) | Connection Type | Description |
---|---|---|---|---|---|
Agents | CipherTrust Manager | TCP | 11117 | Persistent | Allow traffic between Agents and the CipherTrust Manager appliance. Agents initiate the communication and keep persistent connections. |
Agents | IBM DB2 | TCP | 50000 | Non-persistent | Allow traffic between Agents and the IBM DB2 database store. Agents initiate the communication and need the port during the current session. |
Agents | Microsoft SQL | TCP | 1433 | Non-persistent | Allow traffic between Agents and the Microsoft SQL database store. Agents initiate the communication and need the port during the current session. |
Agents | Oracle | TCP | 1521 | Non-persistent | Allow traffic between Agents and the Oracle database store. Agents initiate the communication and need the port during the current session. |
Agents | PostgreSQL | TCP | 5432 | Non-persistent | Allow traffic between Agents and the PostgreSQL database store. Agents initiate the communication and need the port during the current session. |
Agents | CIFS/SMB server | TCP | 445 (1) | Non-persistent | Allows scanning of Windows remote CIFS file shares. |
Agents | NFS server | TCP or UDP | 2049 (2) | Non-persistent | Allows scanning of NFS file shares. |
Agents | Hadoop Scanning | TCP | 8020, 50075 and 50010 | Non-persistent | Allow traffic between Agents and Hadoop cluster nodes. Agents initiate the communication and need the ports during the current session. |
Apart from Hadoop as data store, DDC uses Hadoop as an external database to store and process the scan results. DDC initiates the communication and needs these ports to be open during the current session:
Initiator | Receiver | Protocol | Port(s) | Connection Type | Description |
---|---|---|---|---|---|
CipherTrust Manager | Hadoop (3) | TCP | 8443 | Non-persistent | Allow traffic between TDP cluster nodes and the CipherTrust Manager appliance. DDC supports Apache Knox. |
Prerequisites
CipherTrust Manager must be installed, configured, and accessible through the GUI (also called the console).
TDP must be installed and configured with Livy and HDFS. This DDC version requires TDP 3.1.5.1 or above.
For more information about the supported TDP versions, refer to Compatibility Matrix between CM and TDP.You must also have Apache Knox installed and configured for Hadoop.
Knox must also be DNS addressable, through a network DNS or by adding the DNS entry as described in CipherTrust Manager Administration Guide section Configuring DNS Hosts.
Installing CipherTrust Manager
DDC is shipped as a module of CipherTrust Manager with a trial license already installed so no additional installation should be required in CipherTrust Manager. If you don't have CipherTrust Manager already installed, or you cannot find DDC in the list of installed licenses contact Thales or refer to the CipherTrust Manager product documentation for instructions.
Installing and Configuring TDP (On-prem)
On-prem Thales Data Platform is a Big Data platform based on Hadoop technology. We require running a 5 node cluster that has the following services available:
HDFS
Spark
Livy - available on at least one node
Knox
We recommend 2 name nodes and 3 data nodes. Each node should have the following minimum hardware configuration:
8 CPUs / vCPUS
32 GB RAM
200 GB of disk
For installing on-prem TDP, refer to the Thales Data Platform Deployment Guide and perform all the steps in there before continuing with the DDC installation.
For information about Hadoop, refer to the official HDP 3.1.5 documentation page.
Installing and Configuring TDPaaS
TDPaaS is a cloud-based service that provides an alternative to the Hadoop services offered by on-prem TDP. Before configuring TDPaaS with DDC,
Ensure that your instance can connect to https://us.tdpaas.dpondemand.io over the standard HTTPS port 443.
(Recommended) Whitelist the URL to facilitate communication with TDPaaS without issues.
For configuring TDPaaS, see Configuring TDPaaS.
Additional ports. For Windows 2000 and older:
137 (UDP)
138 (UDP)
139 (TCP)
NFSv4 requires only port 2049 (TCP only). NFSv3 and older must allow connections on the following ports:
111 (TCP or UDP)
Dynamic ports assigned by rpcbind.
Thales Data Platform (TDP) is the only Hadoop flavor currently supported. ↩