@bgooley In CDH 6.3.x, this appears to have changed and the "https.py" file is slightly different now. It accepts the cipher_list as a configuration item. The way we secured Port 900 is by doing these steps: 1) Check to see if RC4 (and other weak ciphers) are open on Port 9000: openssl s_client -cipher RC4 -connect <server>:9000 -msg 2) Edit the "/etc/cloudera-scm-agent/config.ini" file 3) Under the "[Security]" section of the config.ini file, we added these lines: # Custom Cipher List to close vulnerabilities for port 9000 cipher_list=HIGH:!DSS:!DH:!ADH:!DES:!3DES:!SHA1:!RC4:!aNULL:!eNULL:!EXPORT:!SSLv2:!SSLv3:!TLSv1 4) Restart the Cloudera CM-Agent: sudo service cloudera-scm-agent restart 5) Wait a minute or so and then rerun the OpenSSL command and RC4 (and other weak ciphers, if you test them) are closed: openssl s_client -cipher RC4 -connect <server>:9000 -msg It would be great if Cloudera could add this to their documentation on how to add this additional security to the CM Agent.
... View more
@AppaRao, We are working on publishing this publicly, but for now on CM/5.13.1 and higher: (1) Cloudera Manager: Update java.security for the Java version used by Cloudera Manager: - Open $JAVA_HOME/jre/lib/security/java.security in an editor Add or replace this line: - jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, MD5withRSA, DH keySize < 768, 3DES_EDE_CBC (2) Impala: There are two different mechanisms to get TLS 1.2 support, depending on your operating system. On RHEL/CentOS 7, add the following to a CM Configuration Snippet (Safety Valve). Impala on RHEL/CentOS 7 In CM, add the following parameter in Impala's safety valve: Impala Command Line Argument Advanced Configuration Snippet (Safety Valve) -ssl_minimum_version=tlsv1.2 On RHEL/CentOS 6, the above flag unfortunately does not work. Add the following instead: Impala on RHEL/CentOS 6 In CM, add the following parameter in Impala's safety valve: Impala Command Line Argument Advanced Configuration Snippet (Safety Valve) -ssl_cipher_list=DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:!SSLv3:!TLS1
... View more