We have tricky situation where customer wants a written proof of ssl supporting TLS on services running with HDP2.5. He says that Hortonworks documentation don't say that services use TLS1.1/2 except Kafka as per the link https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.3/bk_security/content/ch_wire-kafka.html
Is there any documentation or written proof / link available which they can refer and see the word 'TLS ' specifically. The argument is that cloudera documentation clearly states it everywhere. Why Hortonworks do not ?
I am sorry if i misunderstood your question.
In the same document (For Kafka) you will find that you can use the
that can be used to specify the SSL protocols that you will accept from clients.
Note: SSL is deprecated; its use in production is not
So if you tell kafka to use the TLS using "ssl.enabled.protocols" then it should be using it. You can further the communication on that port using the "openssl" s_client running in debug mode as well to see if the communication is happening on TLS or not.
# openssl s_client -debug -connect localhost:9093 -tls1
For other services as well you can use the same openssl debug mode to see that the communication happens on TLS.
Similarly for Hadoop components you can define the supported protocols inside the "core-site.xml" as mentioned in https://hadoop.apache.org/docs/r2.7.3/hadoop-mapreduce-client/hadoop-mapreduce-client-core/Encrypted... hadoop.ssl.enabled.protocols TLSv1 The supported SSL protocols (JDK6 can use TLSv1, JDK7+ can use TLSv1,TLSv1.1,TLSv1.2)
Similarly for Ambari we can define the "disabled" protocol list: https://docs.hortonworks.com/HDPDocuments/Ambari-188.8.131.52/bk_ambari-security/content/optional_configu...
Dear Jay, You understood it correctly. Customer is looking a similar documentation from Horton as it is from Apache in your link above. specifically mentioning TLS. The argument is how do we know ensure Hortonworks has implemented what Apache Hadoop is saying. Hortonworks documentation did not provide it in writing / in their documentation. Your openssl_s command test is surely one way and will help. But do you think a page/ document from Horton exist any where stating that all hadoop.ssl.enabled.protocols property in core-site.xml file can use TLS protocol. Thanks for help.