Hi,
I have been requested to disable TLSv1 and TLSv1.1 from our Yarn service.
Some background: we run a HDP cluster version 2.6.3.0-235
After scrapping the web for the specific configuration I need to disable
the algorithms, the only solution I found is to configure
"jdk.tls.disabledAlgorithms.
I have set it both in "java.security" file and in the jvm arguments
themselves (via yarn-env setting in Ambari).
In java.security: jdk.tls.disabledAlgorithms=TLSv1, SSLv3, RC4, DES,
MD5withRSA, DH keySize < 1024, \
EC keySize < 224, 3DES_EDE_CBC, anon, NULL, SSL, SSLv2, TLSv1.1
When I check the running process I see the following jvm arguments (due to
the setting in yarn-env): /usr/jdk64/jdk1.8.0_112/bin/java
-Dproc_resourcemanager -Xmx1024m -Dzookeeper.sasl.client=true
-Dzookeeper.sasl.client.username=zookeeper
-Djava.security.auth.login.config=/etc/hadoop/2.6.3.0-235/0/yarn_jaas.conf
-Dzookeeper.sasl.clientconfig=Client -Dhdp.version=2.6.3.0-235
*-Djdk.tls.disabledAlgorithms=TLSv1,TLSv1.1* -Dhadoop...
But, when I check the supported TLS versions on the resource manager port
(8190 in my case), TLSv1 and TLSv1.1 are still supported.
Any help, ideas, and suggestions on how to correctly configure the TLS
version support would be appreciated.
