Your suggested change has been received. Thank you.


Suggest A Change….


DDC Deployment



Please Note:


Hardware Requirements

CipherTrust Manager

DDC is only supported when running CipherTrust Manager as a Virtual Machine. The CipherTrust Manager VM has the following requirements:

  • RAM: 16 GB minimum, recommended 64 GB

  • CPU: 4 cores. It is recommended to add extra cores if the average CPU usage is above 50% or CPU load is above 80% for extended periods of time.

  • Disk space: at least 256 GB

Agent requirements

Each concurrent DDC scan requires one core and typically less than 1 GB of RAM. Agents do not launch concurrent Local Storage scans. When running Local scans Linux agents require a minimum of 1 core and 1 GB of RAM and Windows agents require 2 cores and 4 GB of RAM.

The above requirements only take the DDC scanning agent requirements into account. The operating system requires additional resources, usually 1-2 cores and 2-4 GB of RAM, and consider the requirements of the other services.

Please note that an agent running in a server can behave as a Local proxy for scanning this server and as a Proxy agent to scan other Data Stores, so you should monitor the agent resource consumption while the scans are running if needed.

Software Requirements

Agents for Debian require Debian kernel versions 3.x and higher.

Ports Used for Communication

This section provides a list of ports that should allow communication among agents, data stores, and DDC. Firewalls should be configured to allow this communication.

The following table lists the ports that are used by agents to connect to data stores:

InitiatorReceiverProtocolPort(s)Connection TypeDescription
AgentsCipherTrust ManagerTCP11117PersistentAllow traffic between Agents and the CipherTrust Manager appliance.
Agents initiate the communication and keep persistent connections.
AgentsIBM DB2TCP50000Non-persistentAllow traffic between Agents and the IBM DB2 database store.
Agents initiate the communication and need the port during the current session.
AgentsMicrosoft SQLTCP1433Non-persistentAllow traffic between Agents and the Microsoft SQL database store.
Agents initiate the communication and need the port during the current session.
AgentsOracleTCP1521Non-persistentAllow traffic between Agents and the Oracle database store.
Agents initiate the communication and need the port during the current session.
AgentsPostgreSQLTCP5432Non-persistentAllow traffic between Agents and the PostgreSQL database store.
Agents initiate the communication and need the port during the current session.
AgentsCIFS/SMB serverTCP445 (1)Non-persistentAllows scanning of Windows remote CIFS file shares.
AgentsNFS serverTCP or UDP2049 (2)Non-persistentAllows scanning of NFS file shares.
AgentsHadoop ScanningTCP8020, 50075 and 50010Non-persistentAllow traffic between Agents and Hadoop cluster nodes.
Agents initiate the communication and need the ports during the current session.

Apart from Hadoop as data store, DDC uses Hadoop as an external database to store and process the scan results. DDC initiates the communication and needs these ports to be open during the current session:

InitiatorReceiverProtocolPort(s)Connection TypeDescription
CipherTrust ManagerHadoop (3)TCP8443Non-persistentAllow traffic between TDP cluster nodes and the CipherTrust Manager appliance. DDC supports Apache Knox.


  • CipherTrust Manager must be installed, configured, and accessible through the GUI (also called the console).

  • TDP must be installed and configured with Livy and HDFS. This DDC version requires TDP or above.
    For more information about the supported TDP versions, refer to Compatibility Matrix between CM and TDP.

  • You must also have Apache Knox installed and configured for Hadoop.

  • Knox must also be DNS addressable, through a network DNS or by adding the DNS entry as described in CipherTrust Manager Administration Guide section Configuring DNS Hosts.

Installing CipherTrust Manager

DDC is shipped as a module of CipherTrust Manager with a trial license already installed so no additional installation should be required in CipherTrust Manager. If you don't have CipherTrust Manager already installed, or you cannot find DDC in the list of installed licenses contact Thales or refer to the CipherTrust Manager product documentation for instructions.

Installing and Configuring TDP

Thales Data Platform (TDP) is a Big Data platform based on Hadoop technology. We require running a 5 node cluster that has the following services available:

  • HDFS

  • Spark

  • Livy - available on at least one node

  • Knox

We recommend 2 name nodes and 3 data nodes. Each node should have the following minimum hardware configuration:

  • 8 CPUs / vCPUS

  • 16 GB RAM

  • 100 GB of disk

For installing TDP refer to the Thales Data Platform Deployment Guide and perform all the steps in there before continuing with the DDC installation.

For information about Hadoop, refer to the official HDP 3.1.5 documentation page.

  1. Additional ports. For Windows 2000 and older:

    • 137 (UDP)

    • 138 (UDP)

    • 139 (TCP)

  2. NFSv4 requires only port 2049 (TCP only). NFSv3 and older must allow connections on the following ports:

    • 111 (TCP or UDP)

    • Dynamic ports assigned by rpcbind.

  3. Thales Data Platform (TDP) is the only Hadoop flavor currently supported.