Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Horton documentation specifically stating 'TLS'

Highlighted

Horton documentation specifically stating 'TLS'

Explorer

We have tricky situation where customer wants a written proof of ssl supporting TLS on services running with HDP2.5. He says that Hortonworks documentation don't say that services use TLS1.1/2 except Kafka as per the link https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.3/bk_security/content/ch_wire-kafka.html

Is there any documentation or written proof / link available which they can refer and see the word 'TLS ' specifically. The argument is that cloudera documentation clearly states it everywhere. Why Hortonworks do not ?

2 REPLIES 2
Highlighted

Re: Horton documentation specifically stating 'TLS'

Super Mentor

@Vishal Gupta

I am sorry if i misunderstood your question.

In the same document (For Kafka) you will find that you can use the ssl.enabled.protocols that can be used to specify the SSL protocols that you will accept from clients.

Note: SSL is deprecated; its use in production is not recommended. TLSv1.2,TLSv1.1,TLSv1

So if you tell kafka to use the TLS using "ssl.enabled.protocols" then it should be using it. You can further the communication on that port using the "openssl" s_client running in debug mode as well to see if the communication is happening on TLS or not.

# openssl s_client -debug -connect localhost:9093 -tls1

.

For other services as well you can use the same openssl debug mode to see that the communication happens on TLS.

.

Similarly for Hadoop components you can define the supported protocols inside the "core-site.xml" as mentioned in https://hadoop.apache.org/docs/r2.7.3/hadoop-mapreduce-client/hadoop-mapreduce-client-core/Encrypted... hadoop.ssl.enabled.protocols TLSv1 The supported SSL protocols (JDK6 can use TLSv1, JDK7+ can use TLSv1,TLSv1.1,TLSv1.2)

.

Similarly for Ambari we can define the "disabled" protocol list: https://docs.hortonworks.com/HDPDocuments/Ambari-2.5.0.3/bk_ambari-security/content/optional_configu...

security.server.disabled.protocols=SSL|SSLv2|SSLv3

.

.

Highlighted

Re: Horton documentation specifically stating 'TLS'

Explorer

Dear Jay, You understood it correctly. Customer is looking a similar documentation from Horton as it is from Apache in your link above. specifically mentioning TLS. The argument is how do we know ensure Hortonworks has implemented what Apache Hadoop is saying. Hortonworks documentation did not provide it in writing / in their documentation. Your openssl_s command test is surely one way and will help. But do you think a page/ document from Horton exist any where stating that all hadoop.ssl.enabled.protocols property in core-site.xml file can use TLS protocol. Thanks for help.

Don't have an account?
Coming from Hortonworks? Activate your account here