Member since
12-18-2018
11
Posts
2
Kudos Received
1
Solution
My Accepted Solutions
Title | Views | Posted |
---|---|---|
995 | 07-24-2019 11:02 AM |
05-12-2020
08:11 AM
Check out our series of SDX videos on our youtube channel for some examples of Atlas + Ranger in action as part of the CDP Shared Data Experience (SDX): https://www.youtube.com/playlist?list=PLe-h9HrA9qfCj2SI5BrvCdQOEOjHUWMBB
... View more
04-24-2020
02:30 PM
@bgooley In CDH 6.3.x, this appears to have changed and the "https.py" file is slightly different now. It accepts the cipher_list as a configuration item. The way we secured Port 900 is by doing these steps: 1) Check to see if RC4 (and other weak ciphers) are open on Port 9000: openssl s_client -cipher RC4 -connect <server>:9000 -msg 2) Edit the "/etc/cloudera-scm-agent/config.ini" file 3) Under the "[Security]" section of the config.ini file, we added these lines: # Custom Cipher List to close vulnerabilities for port 9000 cipher_list=HIGH:!DSS:!DH:!ADH:!DES:!3DES:!SHA1:!RC4:!aNULL:!eNULL:!EXPORT:!SSLv2:!SSLv3:!TLSv1 4) Restart the Cloudera CM-Agent: sudo service cloudera-scm-agent restart 5) Wait a minute or so and then rerun the OpenSSL command and RC4 (and other weak ciphers, if you test them) are closed: openssl s_client -cipher RC4 -connect <server>:9000 -msg It would be great if Cloudera could add this to their documentation on how to add this additional security to the CM Agent.
... View more
04-03-2020
03:10 PM
Hi @rar59b ,
We are sorry to hear you are having some trouble. Can you please open a new thread and provide us with some background (environment, product you are dealing with etc) of what you are trying to do and what is happening. The original thread is talking about datanode and your question seems to refer to HMS.
Thanks!
Li
... View more
11-11-2019
11:18 AM
Hi Ihebert Thanks for that clarification, I am following the document provided by cloudera support for the TLSv 1.2 upgrade for our CDH clusters. we have about 12 Clusters in our organization and the implementation is going pretty smooth with an exception of port 11371 and 11381. As you mentioned 11381 is postgress SQL and as of now do not provide any UI based methods for altering the TLS configuration for the backing Key Trustee Database. But for port 11371 also we are seeing TLSv 1.1 protocols still happening. we changed the Configs on KTS servers to TLSv 1.2 with the radio button and updated java.security file on those hosts. It is using TLS1.2 as well but we are not able restrict TLSv 1.1 on port 11371. Our KTS servers are using Centos 6 and Rhel 6 and Oracle JDK 7 and Keyhsm version is 5.4.*. I would be really grateful if I could get a solution for port 11371 as we anyhow upgrading all our cluster to 6.3 in near future so Port 11381 might get a fix with that but as of now our concern is port 11371. Thanks Mannan.
... View more
10-05-2019
12:43 AM
The original issue described here is not applicable to your version. In your case it could simply be a misconfiguration that's causing oozie to not load the right hive configuration required to talk to the hive service. Try enabling debug logging on the oozie server if you are unable to find an error in it. Also try to locate files or jars in your workflow that may be supplying an invalid hive client XML.
... View more
07-24-2019
11:02 AM
https://community.cloudera.com/t5/Cloudera-Manager-Installation/How-can-we-disable-TLSv1-cipher-for-the-Cloudera-Platform/td-p/25706
... View more