We have a tricky situation where customer is looking for written proof of 'TLS' support for services on HDP2.5 for webUIs.
They claim that it is only Kafka which says that but no other service , https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.3/bk_security/content/ch_wire-kafka.html
Is there a documentation , link or written proof where he can specifically see 'TLS' support for HDP services. The argument is cloudera documentation clearly state is everywhere. The issue is - he suspect that Horton still use the old protocols / ciphers and not TLS except Kafka. Any pointers , link or documentation he can refer to
As you know, TLS is a cryptographic protocol. SSL is his predecessor. TLS is generically still named as SSL in documentations (see why: https://en.wikipedia.org/wiki/Transport_Layer_Security - read first line). Cloudera's statement in their document is meaningless. They have no control on cryptographic protocols development or configuration in a specific environment. We could write in documentation that we also support floppy disks on servers. Cloudera ecosystem is pretty much a compilation of open source projects like Hortonworks, most of them identical. As such, those tools that Cloudera "put" so much effort to support TLS :) are supported in Hortonworks as well. What are the tools that the customer is really concerned? This is an easy test, just disable all protocols and keep TLS, add proper proper certificate and try to access any web UI in the ecosystem.
To see how to enable SSL, look here:
This link is for HDP 2.4, but you should be able to find similar for other version.
In a summary, tell your customer that when SSL is enabled with HDP, whatever is allowed is used, e.g. SSL or TLS. That tight control is done at lower level than HDP platform. They can disable all weak protocols and keep TLS. The documentation shows clearly 1024 encryption key examples.
Dear Stanca, I agree with you on all the points but you know sometimes lack of knowledge makes things difficult. As a culture in Finland & Sweden, some of these senior Non-IT executives wants to see specific written words, especially when competitor has something in writing. Last reply from Jay and your reply are both helpful to do the test which we are proposing now to prove in terms of disabling the SSL and enabling only TLS , followed by using Openssl_Client test. You would also agree that in a competitive situation (cloudera writing 'TLS' and hortonworks Not in their documentation), it is hard to argue why cloudera is saying and Horton not saying. Thanks for the details & help.