Cloudera Community
AppaRao
user rank
New Contributor

Re: How can we disable TLSv1 cipher for the Cloude...

by Contributor in Support Questions
‎04-24-2020 02:30 PM
‎04-24-2020 02:30 PM
@bgooley    In CDH 6.3.x, this appears to have changed and the "https.py" file is slightly different now.  It accepts the cipher_list as a configuration item.  The way we secured Port 900 is by doing these steps:   1) Check to see if RC4 (and other weak ciphers) are open on Port 9000:   openssl s_client -cipher RC4 -connect <server>:9000 -msg   2) Edit the "/etc/cloudera-scm-agent/config.ini" file   3) Under the "[Security]" section of the config.ini file, we added these lines:   # Custom Cipher List to close vulnerabilities for port 9000 cipher_list=HIGH:!DSS:!DH:!ADH:!DES:!3DES:!SHA1:!RC4:!aNULL:!eNULL:!EXPORT:!SSLv2:!SSLv3:!TLSv1   4) Restart the Cloudera CM-Agent:     sudo service cloudera-scm-agent restart   5) Wait a minute or so and then rerun the OpenSSL command and RC4 (and other weak ciphers, if you test them) are closed:   openssl s_client -cipher RC4 -connect <server>:9000 -msg   It would be great if Cloudera could add this to their documentation on how to add this additional security to the CM Agent. ... View more

Re: How to restrict TLS versions and ciphers allow...

by Master Guru Master Guru in Support Questions
‎07-23-2018 10:16 PM
‎07-23-2018 10:16 PM
@AppaRao,   We are working on publishing this publicly, but for now on CM/5.13.1 and higher:   (1)   Cloudera Manager:   Update java.security for the Java version used by Cloudera Manager:   - Open $JAVA_HOME/jre/lib/security/java.security in an editor Add or replace this line: - jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, MD5withRSA, DH keySize < 768, 3DES_EDE_CBC   (2)   Impala:   There are two different mechanisms to get TLS 1.2 support, depending on your operating system. On RHEL/CentOS 7, add the following to a CM Configuration Snippet (Safety Valve).   Impala on RHEL/CentOS 7 In CM, add the following parameter in Impala's safety valve: Impala Command Line Argument Advanced Configuration Snippet (Safety Valve) -ssl_minimum_version=tlsv1.2   On RHEL/CentOS 6, the above flag unfortunately does not work. Add the following instead:   Impala on RHEL/CentOS 6   In CM, add the following parameter in Impala's safety valve: Impala Command Line Argument Advanced Configuration Snippet (Safety Valve) -ssl_cipher_list=DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:!SSLv3:!TLS1     ... View more
Contact Me
Online
Offline
Last Visited
‎07-21-2018 04:30 PM
Community Statistics
Member Since ‎07-21-2018 01:01 PM
Last Visited ‎07-21-2018 04:30 PM
Posts 3