@bgooley    Hi   That was quite a good list of steps I could find after searching a lot for procedures on upgrading the TLS 1.1 to 1.2.   I actually applied these steps on one of our test environment on CDH 5.13 cluster on centos 6 within our organization and submitted for the vulnerability scan and the report has come up with quite a number of ports still have TLS 1.1 vulnerability.   These are the ports:   11371 -- KTS server 11381-- postgresssql database 50475 External - Datanode-- dfs.datanode.https.address 13562 Yarn //mapreduce.shuffle.port 9093--kafka 8985 -- solr_https_port 8044 --Yarn,node manager --yarn. nodemanager. webapp.https.address 20550 --hbase.rest.port 19890-- Yarn Job history server, mapreduce. jobhistory. webapp.address 11443 -- Oozie server 9095 --Hbase Thrift server 8889 -- Hue load balancer 60010 -- hbase.master. info.port (http) 7187-- Cloudera manager server (metadataserve/https web UI) 50470 -- dfs.https.address or dfs.namenode.https-address (dfs.https.addressis deprecated (but still works) 14000 -- HttpFS 8481 --Hadoop --dfs.journalnode. https-address 8090 -- yarn. resourcemanager. webapp.https.address 8044 ---yarn. nodemanager. webapp.https.address 60030 -- hbase. regionserver. info.port.   please let us know how we can overcome/resolve this issue. Looking forward for your response.   Thanks Abdul ... View more

Since its pip for OS python as you recommended -- our KTS servers are Rhel 6 and centos 6 and we are unable to find the RPM for it which is above 13.1. There is a directory on our KTS servers which already seems to have pyopenssl version 0.14, I am not sure if this enough. /opt/cloudera/parcels/KEYTRUSTEE_SERVER-5.11.0-1.keytrustee5.11.0.p0.18/lib/python2.6/site-packages/pyOpenSSL-0.14-py2.6.egg-inf Other location where the Pyopenssl is located and have 0.13 version /usr/lib64/python2.6/site-packages/pyOpenSSL-0.13.1-py2.6.egg-info We tried to make changes to Java.security file to enforce TLS 1.2(but did not do any upgrades to Pyopenssl version) and made config changes in KTS service to use 1.2 and restarted both KTS and KMS services after that and they were able to start without throwing any errors. so I am kinda puzzled if KTS is already using the pyopenssl upgraded version from one of our locations or ? I read the the documentation from Cloudera where it says if we do not upgrade pyopenssl version and enforce TLS 1.2 by making changes to java.security, the services will not start and will throw errors but I was able start the services.   Please let us know if we missed anything or following the right procedure so far ? Thanks.         ... View more

HI Ben - We have pip installed in 3 places:  /usr/bin, /opt/anaconda/2 and /opt/anaconda/3.....which pip to use for the upgrade?  Want to make sure when it's upgraded Cloudera will pick it up.? please Guide. Thanks. ... View more

Thanks Ben for the response.     pyOpenSSL.x86_64                      0.13.1-2.el6   this is the version of PyOpenSSL we have on our KTS servers and these KTS servers are Rhel/Centos 6. ... View more