Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

How to restrict TLS versions and ciphers allowed for Cloudera Manager and Impala?

avatar
author-rank Lobstrosity
New Contributor

Created on ‎05-16-2017 05:03 PM - edited ‎09-16-2022 04:37 AM

We want to remove TLS v1 and less secure ciphers from being supported.  I wasn't able to find any documentation for either Cloudera Manager or Impala regarding how to accomplish this.  Turning on/off TLS/SSL is quite clear but I can't find any detailed settings.

 

I tried searching on here and was also unable to find anything related.

 

Could someone point me to documentation or a guide?

 

Many thanks.

4,590 Views
0 Kudos
4 REPLIES 4

avatar
author-rank andyboxer
Explorer

Created ‎10-27-2017 05:11 AM

We are having this issue too, We have been advised by our security analysts that although this nominally presents a low risk, when the consequences of a breach are of a certain proportion this should be addressed.

 

I have searched around for guidance but found nothing I can apply except the following:

 

adding this property to ssl_security.xml 

 

<property>
  <name>ssl.server.exclude.cipher.list</name>
  <value>TLS_ECDHE_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
  SSL_RSA_WITH_DES_CBC_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA,
  SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
  SSL_RSA_WITH_RC4_128_MD5,
  SSL_RSA_EXPORT_WITH_RC4_40_MD5|SSL_DH_anon_EXPORT_WITH_RC4_40_MD5|TLS_KRB5_EXPORT_WITH_RC4_40_SHA|TLS_KRB5_EXPORT_WITH_RC4_40_MD5</value>
  <description>Optional. The weak security cipher suites that you want excluded
  from SSL communication.</description>
</property>

 

however there seems to be no mechanism by which I can apply this property. 

 

Please could someone advise on how we can affect this change. 

4,455 Views
0 Kudos

avatar
author-rank AppaRao
New Contributor

Created ‎07-21-2018 01:03 PM

Hi Andy,

 

Did you finally figure out documented procedure to disable TLS 1.0 and 1.1?

4,057 Views
0 Kudos

avatar
author-rank AppaRao
New Contributor

Created ‎07-21-2018 01:06 PM

Hi,

 

Did you finally managed to get documented procedure to restrict TLS 1.0 and 1.1?

4,053 Views
0 Kudos

avatar
author-rank bgooley author-rank
Master Guru

Created ‎07-23-2018 10:16 PM

@AppaRao,

 

We are working on publishing this publicly, but for now on CM/5.13.1 and higher:

 

(1)

 

Cloudera Manager:

 

Update java.security for the Java version used by Cloudera Manager:

 

- Open $JAVA_HOME/jre/lib/security/java.security in an editor
Add or replace this line:

- jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, MD5withRSA, DH keySize < 768, 3DES_EDE_CBC

 

(2)

 

Impala:

 

There are two different mechanisms to get TLS 1.2 support, depending on your operating system. On RHEL/CentOS 7, add the following to a CM Configuration Snippet (Safety Valve).

 

Impala on RHEL/CentOS 7
In CM, add the following parameter in Impala's safety valve: Impala Command Line Argument Advanced Configuration Snippet (Safety Valve)
-ssl_minimum_version=tlsv1.2

 

On RHEL/CentOS 6, the above flag unfortunately does not work. Add the following instead:

 

Impala on RHEL/CentOS 6

 

In CM, add the following parameter in Impala's safety valve: Impala Command Line Argument Advanced Configuration Snippet (Safety Valve)


-ssl_cipher_list=DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:!SSLv3:!TLS1

 

 

4,013 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements