Hi Ihebert   Thanks for that clarification, I am following the document provided by cloudera support for the TLSv 1.2 upgrade for our CDH clusters. we have about 12 Clusters in our organization and the implementation is going pretty smooth with an exception of port 11371 and 11381. As you mentioned 11381 is postgress SQL and as of now do not provide any UI based methods for altering the TLS configuration for the backing Key Trustee Database. But for port 11371 also we are seeing TLSv 1.1 protocols still happening. we changed the Configs on KTS servers to TLSv 1.2 with the radio button and updated java.security file on those hosts. It is using TLS1.2 as well but we are not able restrict TLSv 1.1 on port 11371. Our KTS servers are using Centos 6 and Rhel 6 and Oracle JDK 7 and Keyhsm version is 5.4.*. I would be really grateful if I could get a solution for port 11371 as we anyhow upgrading all our cluster to 6.3 in near future so Port 11381 might get a fix with that but as of now our concern is port 11371.   Thanks Mannan.   ... View more

@Harsh J    I'm getting the same kind of issue/error while running the spark Job.  "JA009    JA009: org.apache.hive.hcatalog.common.HCatException : 9001 : Exception occurred while processing HCat request : TException while getting delegation token.. Cause : org.apache.thrift.transport.TTransportException: java.net.SocketTimeoutException: Read timed out " We are currently using CDH Version and CManager Version (5.13.3). So can you Please suggest me whether the procedure you provided in Version 5.1.1* above can be applied for 5.13 .  Appreciate your response.   Thanks Mannan. ... View more

@bgooley    Hi   That was quite a good list of steps I could find after searching a lot for procedures on upgrading the TLS 1.1 to 1.2.   I actually applied these steps on one of our test environment on CDH 5.13 cluster on centos 6 within our organization and submitted for the vulnerability scan and the report has come up with quite a number of ports still have TLS 1.1 vulnerability.   These are the ports:   11371 -- KTS server 11381-- postgresssql database 50475 External - Datanode-- dfs.datanode.https.address 13562 Yarn //mapreduce.shuffle.port 9093--kafka 8985 -- solr_https_port 8044 --Yarn,node manager --yarn. nodemanager. webapp.https.address 20550 --hbase.rest.port 19890-- Yarn Job history server, mapreduce. jobhistory. webapp.address 11443 -- Oozie server 9095 --Hbase Thrift server 8889 -- Hue load balancer 60010 -- hbase.master. info.port (http) 7187-- Cloudera manager server (metadataserve/https web UI) 50470 -- dfs.https.address or dfs.namenode.https-address (dfs.https.addressis deprecated (but still works) 14000 -- HttpFS 8481 --Hadoop --dfs.journalnode. https-address 8090 -- yarn. resourcemanager. webapp.https.address 8044 ---yarn. nodemanager. webapp.https.address 60030 -- hbase. regionserver. info.port.   please let us know how we can overcome/resolve this issue. Looking forward for your response.   Thanks Abdul ... View more

Since its pip for OS python as you recommended -- our KTS servers are Rhel 6 and centos 6 and we are unable to find the RPM for it which is above 13.1. There is a directory on our KTS servers which already seems to have pyopenssl version 0.14, I am not sure if this enough. /opt/cloudera/parcels/KEYTRUSTEE_SERVER-5.11.0-1.keytrustee5.11.0.p0.18/lib/python2.6/site-packages/pyOpenSSL-0.14-py2.6.egg-inf Other location where the Pyopenssl is located and have 0.13 version /usr/lib64/python2.6/site-packages/pyOpenSSL-0.13.1-py2.6.egg-info We tried to make changes to Java.security file to enforce TLS 1.2(but did not do any upgrades to Pyopenssl version) and made config changes in KTS service to use 1.2 and restarted both KTS and KMS services after that and they were able to start without throwing any errors. so I am kinda puzzled if KTS is already using the pyopenssl upgraded version from one of our locations or ? I read the the documentation from Cloudera where it says if we do not upgrade pyopenssl version and enforce TLS 1.2 by making changes to java.security, the services will not start and will throw errors but I was able start the services.   Please let us know if we missed anything or following the right procedure so far ? Thanks.         ... View more

HI Ben - We have pip installed in 3 places:  /usr/bin, /opt/anaconda/2 and /opt/anaconda/3.....which pip to use for the upgrade?  Want to make sure when it's upgraded Cloudera will pick it up.? please Guide. Thanks. ... View more

Thanks Ben for the response.     pyOpenSSL.x86_64                      0.13.1-2.el6   this is the version of PyOpenSSL we have on our KTS servers and these KTS servers are Rhel/Centos 6. ... View more