Support Questions

Find answers, ask questions, and share your expertise

How to restrict TLS versions and ciphers allowed for Cloudera Manager and Impala?

avatar
New Contributor

We want to remove TLS v1 and less secure ciphers from being supported.  I wasn't able to find any documentation for either Cloudera Manager or Impala regarding how to accomplish this.  Turning on/off TLS/SSL is quite clear but I can't find any detailed settings.

 

I tried searching on here and was also unable to find anything related.

 

Could someone point me to documentation or a guide?

 

Many thanks.

4 REPLIES 4

avatar
Explorer

We are having this issue too, We have been advised by our security analysts that although this nominally presents a low risk, when the consequences of a breach are of a certain proportion this should be addressed.

 

I have searched around for guidance but found nothing I can apply except the following:

 

adding this property to ssl_security.xml 

 

<property>
  <name>ssl.server.exclude.cipher.list</name>
  <value>TLS_ECDHE_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
  SSL_RSA_WITH_DES_CBC_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA,
  SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
  SSL_RSA_WITH_RC4_128_MD5,
SSL_RSA_EXPORT_WITH_RC4_40_MD5|SSL_DH_anon_EXPORT_WITH_RC4_40_MD5|TLS_KRB5_EXPORT_WITH_RC4_40_SHA|TLS_KRB5_EXPORT_WITH_RC4_40_MD5</value> <description>Optional. The weak security cipher suites that you want excluded from SSL communication.</description> </property>

 

however there seems to be no mechanism by which I can apply this property. 

 

Please could someone advise on how we can affect this change. 

avatar
New Contributor

Hi Andy,

 

Did you finally figure out documented procedure to disable TLS 1.0 and 1.1?

avatar
New Contributor

Hi,

 

Did you finally managed to get documented procedure to restrict TLS 1.0 and 1.1?

avatar
Master Guru

@AppaRao,

 

We are working on publishing this publicly, but for now on CM/5.13.1 and higher:

 

(1)

 

Cloudera Manager:

 

Update java.security for the Java version used by Cloudera Manager:

 

- Open $JAVA_HOME/jre/lib/security/java.security in an editor
Add or replace this line:

- jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, MD5withRSA, DH keySize < 768, 3DES_EDE_CBC

 

(2)

 

Impala:

 

There are two different mechanisms to get TLS 1.2 support, depending on your operating system. On RHEL/CentOS 7, add the following to a CM Configuration Snippet (Safety Valve).

 

Impala on RHEL/CentOS 7
In CM, add the following parameter in Impala's safety valve: Impala Command Line Argument Advanced Configuration Snippet (Safety Valve)
-ssl_minimum_version=tlsv1.2

 

On RHEL/CentOS 6, the above flag unfortunately does not work. Add the following instead:

 

Impala on RHEL/CentOS 6

 

In CM, add the following parameter in Impala's safety valve: Impala Command Line Argument Advanced Configuration Snippet (Safety Valve)


-ssl_cipher_list=DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:!SSLv3:!TLS1