Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Not able to disable TLSv1, TLSv1.1 on Apache Yarn

Not able to disable TLSv1, TLSv1.1 on Apache Yarn

Explorer
Hi,
 
I have been requested to disable TLSv1 and TLSv1.1 from our Yarn service.
Some background: we run a HDP cluster version 2.6.3.0-235
After scrapping the web for the specific configuration I need to disable the algorithms, the only solution I found is to configure "jdk.tls.disabledAlgorithms.
 
I have set it both in "java.security" file and in the jvm arguments themselves (via yarn-env setting in Ambari).
 
In java.security:

 

jdk.tls.disabledAlgorithms=TLSv1, SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
    EC keySize < 224, 3DES_EDE_CBC, anon, NULL, SSL, SSLv2, TLSv1.1

 

 
When I check the running process I see the following jvm arguments (due to the setting in yarn-env):

 

/usr/jdk64/jdk1.8.0_112/bin/java -Dproc_resourcemanager -Xmx1024m -Dzookeeper.sasl.client=true -Dzookeeper.sasl.client.username=zookeeper -Djava.security.auth.login.config=/etc/hadoop/2.6.3.0-235/0/yarn_jaas.conf -Dzookeeper.sasl.clientconfig=Client -Dhdp.version=2.6.3.0-235 -Djdk.tls.disabledAlgorithms=TLSv1,TLSv1.1 -Dhadoop...

 

 
But, when I check the supported TLS versions on the resource manager port (8190 in my case), TLSv1 and TLSv1.1 are still supported.
 
Any help, ideas, and suggestions on how to correctly configure the TLS version support would be appreciated.
Don't have an account?
Coming from Hortonworks? Activate your account here