Cloudera Community
BrettM
user rank
Contributor

Re: How can we disable TLSv1 cipher for the Cloude...

by Contributor in Support Questions
‎04-24-2020 02:30 PM
‎04-24-2020 02:30 PM
@bgooley    In CDH 6.3.x, this appears to have changed and the "https.py" file is slightly different now.  It accepts the cipher_list as a configuration item.  The way we secured Port 900 is by doing these steps:   1) Check to see if RC4 (and other weak ciphers) are open on Port 9000:   openssl s_client -cipher RC4 -connect <server>:9000 -msg   2) Edit the "/etc/cloudera-scm-agent/config.ini" file   3) Under the "[Security]" section of the config.ini file, we added these lines:   # Custom Cipher List to close vulnerabilities for port 9000 cipher_list=HIGH:!DSS:!DH:!ADH:!DES:!3DES:!SHA1:!RC4:!aNULL:!eNULL:!EXPORT:!SSLv2:!SSLv3:!TLSv1   4) Restart the Cloudera CM-Agent:     sudo service cloudera-scm-agent restart   5) Wait a minute or so and then rerun the OpenSSL command and RC4 (and other weak ciphers, if you test them) are closed:   openssl s_client -cipher RC4 -connect <server>:9000 -msg   It would be great if Cloudera could add this to their documentation on how to add this additional security to the CM Agent. ... View more

Re: How can we disable TLSv1 cipher for the Cloude...

by Contributor in Support Questions
‎08-05-2019 01:28 PM
‎08-05-2019 01:28 PM
@bgooley    Our scan back from Nessus is good on Port 9000. We are not getting any of those aforementioned issues with the previous update from last week you provided.    I was just letting you know the original message I was getting back about Port 9000. I agree the !HIGH would have removed the RC4 cipher.   We are good, this issue on Port 9000 is remediated.  Thank You very much!   Thanks, Brett ... View more

Re: How can we disable TLSv1 cipher for the Cloude...

by Contributor in Support Questions
‎08-05-2019 11:04 AM
‎08-05-2019 11:04 AM
@bgooley ,   To be honest, I only got this information below and don't 100% understand it because I am not security expert. This is might make more sense to you:   Vulnerability #1: SSL Medium Strength Cipher Suites Supported (SWEET32)   Medium Strength Ciphers (> 64-bit and < 112-bit key or 3DES) KRB5-DES-CBC3-MD5 Kx=KRB5 Au=KRB5 Enc=3DES-CBC(168) Mac=MD5  KRB5-DES-CBC3-SHA Kx=KRB5 Au=KRB5 Enc=3DES-CBC(168) Mac=SHA1  DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1    The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code}   Vulnerability #2: SSL RC4 Cipher Suites Supported (Bar Mitzvah)   List of RC4 cipher suites supported by the remote server : High Strength Ciphers (>= 112-bit key) KRB5-RC4-MD5 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=MD5 KRB5-RC4-SHA Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=SHA1 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1   The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code}   I hope this means something to you. 🙂   Thanks, Brett   ... View more

Re: How can we disable TLSv1 cipher for the Cloude...

by Contributor in Support Questions
‎08-02-2019 07:45 AM
‎08-02-2019 07:45 AM
Hi @bgooley,   We applied that additional line of code to the "https.py" file and our scan came back clean on port 9000 for these two vulnerabilities:   https://www.tenable.com/plugins/nessus/42873  and described here: https://www.openssl.org/blog/blog/2016/08/24/sweet32/ 2.   https://www.tenable.com/plugins/nnm/7282  also described here: https://www.secpod.com/blog/cve-2015-2808-bar-mitzvah-attack-in-rc4-2/   Thank you very much!   Do you have any insight into when both of these updates to the "https.py" will be GA?   Thanks, Brett ... View more

Re: How can we disable TLSv1 cipher for the Cloude...

by Contributor in Support Questions
‎07-26-2019 08:59 AM
‎07-26-2019 08:59 AM
@bgooley    So we had another scan on the system and the following two vulnerabilities are still showing up on Port 9000 even after we put in that TLS v1.1 fix.    https://www.tenable.com/plugins/nessus/42873  and described here: https://www.openssl.org/blog/blog/2016/08/24/sweet32/ 2.   https://www.tenable.com/plugins/nnm/7282  also described here: https://www.secpod.com/blog/cve-2015-2808-bar-mitzvah-attack-in-rc4-2/   For item #1, none of these commands returned a success: openssl s_client -connect <servername>:9000 -cipher "DES:3DES" -ssl2 openssl s_client -connect <servername>:9000 -cipher "DES:3DES" -ssl3 openssl s_client -connect <servername>:9000 -cipher "DES:3DES" -tls1 openssl s_client -connect <servername>:9000 -cipher "DES:3DES" -tls1_1   For item #1, this command returned a success: openssl s_client -connect <servername>:9000 -cipher "DES:3DES" -tls1_2   For item #2, I can run this command it shows RC4 cipher is being supported on port 9000   openssl s_client -cipher RC4 -connect <servername>:9000 -msg < /dev/null   Please advise.   Thanks, Brett ... View more

Re: How can we disable TLSv1 cipher for the Cloude...

by Contributor in Support Questions
‎07-19-2019 04:53 PM
‎07-19-2019 04:53 PM
@bgooley    That worked great.  I ran this command and the TLS1_1 just hung as you suggested.  Thank You!   > openssl s_client -connect <server_name>:9000 -tls1_1 -msg < /dev/null CONNECTED(00000003) >>> TLS 1.1 Handshake [length 00a2], ClientHello 01 00 00 9e 03 02 5d 32 57 4b 04 0a af 47 03 90 .... ... View more

Re: How can we disable TLSv1 cipher for the Cloude...

by Contributor in Support Questions
‎07-15-2019 10:31 AM
‎07-15-2019 10:31 AM
@bgooley    This information is incredibly helpful and insightful.  We will try this out solution.  Thank you very much!   Thanks, Brett ... View more

Re: How can we disable TLSv1 cipher for the Cloude...

by Contributor in Support Questions
‎07-11-2019 05:14 PM
‎07-11-2019 05:14 PM
Is there any option for the ssl_cipher_list for Cloudera Manager Agents (Port 9000) to support stronger encryptions?  We are on CDH 6.2. ... View more

How in Hive to write to a timestamp in a parquet b...

by Contributor in Support Questions
‎07-09-2018 06:41 PM
‎07-09-2018 06:41 PM
This issue has been a struggle for a long time (4+ years) with us  and I am so interested to hear what other Cloudera customers are doing.  I understand that Hive is meant to be the ETL batch SQL and Impala is really good at end user ad-hoc queries.  Impala also excels at having Parquet-backed tables.     My querstion is, how do you write a TIMESTAMP datatype using Hive so that Impala will read the same value.     Here is how to reproduce the issue.     1) In Impala, execute  this command:   CREATE TABLE default.ts_hive_test ( ts_data TIMESTAMP) STORED AS PARQUET;   2) In Hive, execute this command:   insert into default.ts_hive_test select from_unixtime(unix_timestamp());   3) In Hive, execute this command:   select * from default.ts_hive_test;   3) In Impala, execute this command:   select * from default.ts_hive_test;   The values are different because of a UTC timezone conversion issue going on with only Parquet backed tables.   So my question is, how do Cloudera Customers deal with this issue?  How can you have TIMESTAMP datatypes in Impala if Hive cannot write to them?   There was an attempt to add a table property (https://issues.apache.org/jira/browse/HIVE-12767) but that was closed with a "Won't Fix" status. The final comment was "Hive already has a workaround based on a the writer metadata..."  What is that workaround in the writer metadata?   This topic was briefly talked about here (http://community.cloudera.com/t5/Batch-SQL-Apache-Hive/Writing-Timestamp-columns-in-Parquet-Files-through-HIVE/m-p/48439#M1608), but those Impala switches cause huge performance degredation.     Has anyone else faced this issue and come up with a solution?  There has been a suggestion that we should change our hundreds of TIMESTAMP datatype columns into STRING datatype columns to avoid this issue, but is that the only option?       ... View more
Labels:

Re: SQOOP - IBM DB2 Connection

by Contributor in Support Questions
‎01-25-2016 02:05 PM
‎01-25-2016 02:05 PM
I am having a very similar issue that I need some help on.  When I try to ingest data from a DB2 z/OS system here is the output:   16/01/25 16:57:03 WARN sqoop.ConnFactory: Parameter --driver is set to an explicit driver however appropriate connection manager is not being set (via --connection-manager). Sqoop is going to fall back to org.apache.sqoop.manager.GenericJdbcManager. Please specify explicitly which connection manager should be used next time. 16/01/25 16:57:03 INFO manager.SqlManager: Using default fetchSize of 1000 16/01/25 16:57:03 INFO tool.CodeGenTool: Beginning code generation 16/01/25 16:57:04 ERROR manager.SqlManager: Error executing statement: com.ibm.db2.jcc.am.SqlSyntaxErrorException: [jcc][10165][10036][4.15.134] Invalid database URL syntax: jdbc:db2://<DB IP>:<DB Port>/<Location or SSID Name>/. ERRORCODE=-4461, SQLSTATE=42815 com.ibm.db2.jcc.am.SqlSyntaxErrorException: [jcc][10165][10036][4.15.134] Invalid database URL syntax: jdbc:db2://<DB IP>:<DB Port>/<Location or SSID Name>/. ERRORCODE=-4461, SQLSTATE=42815   If I do a "telnet <DB IP>  <DB Port>" command it comes back with a response so I know it is there.   I have put the "db2jcc4.jar" into the /var/lib/sqoop/  directory.   Please advise. ... View more
Contact Me
Online
Offline
Last Visited
‎12-03-2020 04:09 PM
Community Statistics
Member Since ‎10-15-2014 11:19 AM
Last Visited ‎12-03-2020 04:09 PM
Posts 27
Kudos received 1