Support Questions

Find answers, ask questions, and share your expertise

Enforce TLSv1.2 for CDP working with AutoTLS

Explorer

Hi,

I have installed CDP 7.1 on my servers. I have enabled autoTLS on those machines during installation. Now my cluster is perfectly up and running. Now for security purpose I want to disable TLS version 1.0 and 1.1 on these machines. 

In config.ini file which is located in /etc/config.ini minimum tls protocol parameter is set to TLSv1.2 i.e

 

use_tls= 1
minimum_tls_protocol=TLSv1.2

 

 

My cloudera manager UI is running at port 7183. According to cloudera official documentation
(link: https://docs.cloudera.com/cdp-private-cloud-upgrade/latest/release-guide/topics/cdpdc-networking-sec...)
port 7183 only supports TLSv1.2 as shown in screenshot below:

hxn_0-1637144723273.png

But whenever I try to make connection to this port via TLSv1 it connects successfully.
I am using following command to test connectivity:

 

openssl s_client -connect ip:7183 -tls1

 

 

Kindly help me resolve this issue.

 

Regards
@smruti @GangWar 

2 REPLIES 2

Rising Star

@hxn Please locate java.security file and use "jdk.tls.disabledAlgorithms" to disable TLSv1, TLSv1.1.

If you upgrade Java, you will have to redo it.

e.g.

# find /usr/java/jdk1.8.0_232-cloudera/ -iname java.security
/usr/java/jdk1.8.0_232-cloudera/jre/lib/security/java.security
# grep -i jdk.tls.disabledAlgorithms /usr/java/jdk1.8.0_232-cloudera/jre/lib/security/java.security
#   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, MD5withRSA, DH keySize < 768, 3DES_EDE_CBC
# certificates such as jdk.tls.disabledAlgorithms or

 

Explorer

There is also an option of "Supported TLS versions" in Cloudera Manager under Security, search for SSL you will get the option of "Supported TLS versions" even after selecting TLSv1.2 from that option our security scans show that few ports from impala and some other services are open.

Screenshot of Cloudera Manager is attached.

 

hxn_0-1638504942026.png

Regards

Hxn