Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Enforce TLSv1.2 for CDP working with AutoTLS

avatar
author-rank hxn
Explorer

Created ‎11-17-2021 02:40 AM

Hi,

I have installed CDP 7.1 on my servers. I have enabled autoTLS on those machines during installation. Now my cluster is perfectly up and running. Now for security purpose I want to disable TLS version 1.0 and 1.1 on these machines. 

In config.ini file which is located in /etc/config.ini minimum tls protocol parameter is set to TLSv1.2 i.e

 

use_tls= 1
minimum_tls_protocol=TLSv1.2

 

 

My cloudera manager UI is running at port 7183. According to cloudera official documentation
(link: https://docs.cloudera.com/cdp-private-cloud-upgrade/latest/release-guide/topics/cdpdc-networking-sec...)
port 7183 only supports TLSv1.2 as shown in screenshot below:

hxn_0-1637144723273.png

But whenever I try to make connection to this port via TLSv1 it connects successfully.
I am using following command to test connectivity:

 

openssl s_client -connect ip:7183 -tls1

 

 

Kindly help me resolve this issue.

 

Regards
@smruti @GangWar 

1,028 Views
0 Kudos
2 REPLIES 2

avatar
author-rank smruti author-rank
Master Collaborator

Created on ‎11-18-2021 12:13 PM - edited ‎11-18-2021 12:14 PM

@hxn Please locate java.security file and use "jdk.tls.disabledAlgorithms" to disable TLSv1, TLSv1.1.

If you upgrade Java, you will have to redo it.

e.g.

# find /usr/java/jdk1.8.0_232-cloudera/ -iname java.security
/usr/java/jdk1.8.0_232-cloudera/jre/lib/security/java.security
# grep -i jdk.tls.disabledAlgorithms /usr/java/jdk1.8.0_232-cloudera/jre/lib/security/java.security
#   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, MD5withRSA, DH keySize < 768, 3DES_EDE_CBC
# certificates such as jdk.tls.disabledAlgorithms or

 

999 Views
0 Kudos

avatar
author-rank hxn
Explorer

Created ‎12-02-2021 08:16 PM

There is also an option of "Supported TLS versions" in Cloudera Manager under Security, search for SSL you will get the option of "Supported TLS versions" even after selecting TLSv1.2 from that option our security scans show that few ports from impala and some other services are open.

Screenshot of Cloudera Manager is attached.

 

hxn_0-1638504942026.png

Regards

Hxn

962 Views
0 Kudos
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements