Check out our series of SDX videos on our youtube channel for some examples of Atlas + Ranger in action as part of the CDP Shared Data Experience (SDX):   https://www.youtube.com/playlist?list=PLe-h9HrA9qfCj2SI5BrvCdQOEOjHUWMBB ... View more

@bgooley     In CDH 6.3.x, this appears to have changed and the "https.py" file is slightly different now.  It accepts the cipher_list as a configuration item.  The way we secured Port 900 is by doing these steps:   1) Check to see if RC4 (and other weak ciphers) are open on Port 9000:   openssl s_client -cipher RC4 -connect <server>:9000 -msg   2) Edit  the "/etc/cloudera-scm-agent/config.ini" file   3) Under the "[Security]" section of the config.ini file, we added these lines:   # Custom Cipher List to close vulnerabilities for port 9000 cipher_list=HIGH:!DSS:!DH:!ADH:!DES:!3DES:!SHA1:!RC4:!aNULL:!eNULL:!EXPORT:!SSLv2:!SSLv3:!TLSv1   4) Restart the Cloudera CM-Agent:     sudo service cloudera-scm-agent restart   5) Wait a minute or so and then rerun the OpenSSL command and RC4 (and other weak ciphers, if you test them) are closed:   openssl s_client -cipher RC4 -connect <server>:9000 -msg   It would be great if Cloudera could add this to their documentation on how to add this additional security to the CM Agent. ... View more

Hi @rar59b ,   We are sorry to hear you are having some trouble.  Can you please open a new thread and provide us with some background (environment, product you are dealing with etc) of what you are trying to do and what is happening. The original thread is talking about datanode and your question seems to refer to HMS.   Thanks! Li ... View more

Hi Ihebert   Thanks for that clarification, I am following the document provided by cloudera support for the TLSv 1.2 upgrade for our CDH clusters. we have about 12 Clusters in our organization and the implementation is going pretty smooth with an exception of port 11371 and 11381. As you mentioned 11381 is postgress SQL and as of now do not provide any UI based methods for altering the TLS configuration for the backing Key Trustee Database. But for port 11371 also we are seeing TLSv 1.1 protocols still happening. we changed the Configs on KTS servers to TLSv 1.2 with the radio button and updated java.security file on those hosts. It is using TLS1.2 as well but we are not able restrict TLSv 1.1 on port 11371. Our KTS servers are using Centos 6 and Rhel 6 and Oracle JDK 7 and Keyhsm version is 5.4.*. I would be really grateful if I could get a solution for port 11371 as we anyhow upgrading all our cluster to 6.3 in near future so Port 11381 might get a fix with that but as of now our concern is port 11371.   Thanks Mannan.   ... View more