Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Enforce TLSv1.2 for CDP working with AutoTLS

avatar
author-rank hxn
Explorer

Created ‎11-17-2021 02:40 AM

Hi,

I have installed CDP 7.1 on my servers. I have enabled autoTLS on those machines during installation. Now my cluster is perfectly up and running. Now for security purpose I want to disable TLS version 1.0 and 1.1 on these machines. 

In config.ini file which is located in /etc/config.ini minimum tls protocol parameter is set to TLSv1.2 i.e

 

use_tls= 1
minimum_tls_protocol=TLSv1.2

 

 

My cloudera manager UI is running at port 7183. According to cloudera official documentation
(link: https://docs.cloudera.com/cdp-private-cloud-upgrade/latest/release-guide/topics/cdpdc-networking-sec...)
port 7183 only supports TLSv1.2 as shown in screenshot below:

hxn_0-1637144723273.png

But whenever I try to make connection to this port via TLSv1 it connects successfully.
I am using following command to test connectivity:

 

openssl s_client -connect ip:7183 -tls1

 

 

Kindly help me resolve this issue.

 

Regards
@smruti @GangWar 

1,347 Views
0 Kudos
2 REPLIES 2

avatar
author-rank smruti author-rank
Master Collaborator

Created on ‎11-18-2021 12:13 PM - edited ‎11-18-2021 12:14 PM

@hxn Please locate java.security file and use "jdk.tls.disabledAlgorithms" to disable TLSv1, TLSv1.1.

If you upgrade Java, you will have to redo it.

e.g.

# find /usr/java/jdk1.8.0_232-cloudera/ -iname java.security
/usr/java/jdk1.8.0_232-cloudera/jre/lib/security/java.security
# grep -i jdk.tls.disabledAlgorithms /usr/java/jdk1.8.0_232-cloudera/jre/lib/security/java.security
#   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, MD5withRSA, DH keySize < 768, 3DES_EDE_CBC
# certificates such as jdk.tls.disabledAlgorithms or

 

1,318 Views
0 Kudos

avatar
author-rank hxn
Explorer

Created ‎12-02-2021 08:16 PM

There is also an option of "Supported TLS versions" in Cloudera Manager under Security, search for SSL you will get the option of "Supported TLS versions" even after selecting TLSv1.2 from that option our security scans show that few ports from impala and some other services are open.

Screenshot of Cloudera Manager is attached.

 

hxn_0-1638504942026.png

Regards

Hxn

1,281 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements