Member since
12-18-2018
11
Posts
2
Kudos Received
1
Solution
My Accepted Solutions
Title | Views | Posted |
---|---|---|
1211 | 07-24-2019 11:02 AM |
05-08-2020
09:22 AM
Hi, In our organization we are up soon going to upgrade from CDH 5.16 to CDP and there a will lot of changes we will encounter as many services in cloudera will replaced. One of the services will be Cloudera Navigator which will be replaced with Atlas. So I would like to understand the key differences, functionality and why to to choose Atlas instead of Cloudera navigator. And how complex it is in usage when compared to Atlas. I would greatly appreciate any help and insight on this topic. Thanks Mannan.
... View more
Labels:
- Labels:
-
Apache Atlas
-
Cloudera Navigator
11-11-2019
11:18 AM
Hi Ihebert Thanks for that clarification, I am following the document provided by cloudera support for the TLSv 1.2 upgrade for our CDH clusters. we have about 12 Clusters in our organization and the implementation is going pretty smooth with an exception of port 11371 and 11381. As you mentioned 11381 is postgress SQL and as of now do not provide any UI based methods for altering the TLS configuration for the backing Key Trustee Database. But for port 11371 also we are seeing TLSv 1.1 protocols still happening. we changed the Configs on KTS servers to TLSv 1.2 with the radio button and updated java.security file on those hosts. It is using TLS1.2 as well but we are not able restrict TLSv 1.1 on port 11371. Our KTS servers are using Centos 6 and Rhel 6 and Oracle JDK 7 and Keyhsm version is 5.4.*. I would be really grateful if I could get a solution for port 11371 as we anyhow upgrading all our cluster to 6.3 in near future so Port 11381 might get a fix with that but as of now our concern is port 11371. Thanks Mannan.
... View more
10-04-2019
02:03 PM
@Harsh J I'm getting the same kind of issue/error while running the spark Job. "JA009 JA009: org.apache.hive.hcatalog.common.HCatException : 9001 : Exception occurred while processing HCat request : TException while getting delegation token.. Cause : org.apache.thrift.transport.TTransportException: java.net.SocketTimeoutException: Read timed out " We are currently using CDH Version and CManager Version (5.13.3). So can you Please suggest me whether the procedure you provided in Version 5.1.1* above can be applied for 5.13 . Appreciate your response. Thanks Mannan.
... View more
09-05-2019
11:15 AM
@bgooley Hi That was quite a good list of steps I could find after searching a lot for procedures on upgrading the TLS 1.1 to 1.2. I actually applied these steps on one of our test environment on CDH 5.13 cluster on centos 6 within our organization and submitted for the vulnerability scan and the report has come up with quite a number of ports still have TLS 1.1 vulnerability. These are the ports: 11371 -- KTS server 11381-- postgresssql database 50475 External - Datanode-- dfs.datanode.https.address 13562 Yarn //mapreduce.shuffle.port 9093--kafka 8985 -- solr_https_port 8044 --Yarn,node manager --yarn. nodemanager. webapp.https.address 20550 --hbase.rest.port 19890-- Yarn Job history server, mapreduce. jobhistory. webapp.address 11443 -- Oozie server 9095 --Hbase Thrift server 8889 -- Hue load balancer 60010 -- hbase.master. info.port (http) 7187-- Cloudera manager server (metadataserve/https web UI) 50470 -- dfs.https.address or dfs.namenode.https-address (dfs.https.addressis deprecated (but still works) 14000 -- HttpFS 8481 --Hadoop --dfs.journalnode. https-address 8090 -- yarn. resourcemanager. webapp.https.address 8044 ---yarn. nodemanager. webapp.https.address 60030 -- hbase. regionserver. info.port. please let us know how we can overcome/resolve this issue. Looking forward for your response. Thanks Abdul
... View more
08-05-2019
05:03 PM
Since its pip for OS python as you recommended -- our KTS servers are Rhel 6 and centos 6 and we are unable to find the RPM for it which is above 13.1. There is a directory on our KTS servers which already seems to have pyopenssl version 0.14, I am not sure if this enough. /opt/cloudera/parcels/KEYTRUSTEE_SERVER-5.11.0-1.keytrustee5.11.0.p0.18/lib/python2.6/site-packages/pyOpenSSL-0.14-py2.6.egg-inf Other location where the Pyopenssl is located and have 0.13 version /usr/lib64/python2.6/site-packages/pyOpenSSL-0.13.1-py2.6.egg-info We tried to make changes to Java.security file to enforce TLS 1.2(but did not do any upgrades to Pyopenssl version) and made config changes in KTS service to use 1.2 and restarted both KTS and KMS services after that and they were able to start without throwing any errors. so I am kinda puzzled if KTS is already using the pyopenssl upgraded version from one of our locations or ? I read the the documentation from Cloudera where it says if we do not upgrade pyopenssl version and enforce TLS 1.2 by making changes to java.security, the services will not start and will throw errors but I was able start the services. Please let us know if we missed anything or following the right procedure so far ? Thanks.
... View more
08-01-2019
12:47 PM
HI Ben - We have pip installed in 3 places: /usr/bin, /opt/anaconda/2 and /opt/anaconda/3.....which pip to use for the upgrade? Want to make sure when it's upgraded Cloudera will pick it up.? please Guide. Thanks.
... View more
07-25-2019
04:03 PM
Thanks Ben for the response. pyOpenSSL.x86_64 0.13.1-2.el6 this is the version of PyOpenSSL we have on our KTS servers and these KTS servers are Rhel/Centos 6.
... View more
07-24-2019
03:49 PM
1 Kudo
The pyOpenSSL version on the Key Trustee Server cluster should be updated to 16.2 before changing the TLS version to 1.2. If pyOpenSSL is not updated, KTS service fails to restart and throws errors.
This was a response given by cloudera engineer if i want to upgrade TLSv 1.2 on KTS servers.
My question is we are using Rhel/centos 6 for our KTS servers, so is this version of pyOpenSSL is compatible with centos/rhel 6.
if not what is the workaround, currently all our KTS clusters on Rhel/Centos 6.
I am unable to find the RPM for pyOpenSSL 16.2 version compatible with Rhel/Centos 6 available online.
PLZ HELP.
... View more
Labels:
- Labels:
-
Cloudera Navigator Key Trustee
07-24-2019
11:02 AM
https://community.cloudera.com/t5/Cloudera-Manager-Installation/How-can-we-disable-TLSv1-cipher-for-the-Cloudera-Platform/td-p/25706
... View more
06-10-2019
02:01 PM
We have a security requirement to be on TLS 1.2 by the end of this year, so we need to know is 1.2 compatible with the current version of CDH we are on 5.13. If not what is not supported ? And other part of my question is whether the TLS version 1.2 will run on CDH version 5.13 supporting all the applicable components/services ? Also we would like to confirm the Postgress of KTS supports TLS 1.2. ?
... View more
Labels:
- Labels:
-
Cloudera Manager
-
Security
03-08-2019
11:29 AM
1 Kudo
I got this below error message in the logs on 2 datanodes. Hard restart fixed this problem but I wanted to what prompted that error. If someone can through a light on it will greatly appreciate. DataXceiver error processing unknown operation src: /10.13.162.216:56080 dst: /10.13.161.101:1204 javax.security.sasl.SaslException: DIGEST-MD5: IO error acquiring password [Caused by org.apache.hadoop.hdfs.protocol.datatransfer.InvalidEncryptionKeyException: Can't re-compute encryption key for nonce, since the required block key (keyID=1900417437) doesn't exist.
... View more
Labels:
- Labels:
-
Cloudera Manager