hadoop.ssl.enabled.protocols=TLSv1.2 is already set in core-site.xml This is the resource manager in my case
On Tue, Sep 3, 2019 at 4:01 PM bappa kon <[email protected]> wrote: > Thats strange, I'm assuming your resource manager running on 8190 port as > by default it is timeline server port in HDP. > > Sorry but I have last thing to test. Can you add below is core-site xml > file and restart all hadoop processes? > > hadoop.ssl.enabled.protocols=TLSv1.2 > > Thanks > > On Tue, 3 Sep 2019, 12:53 Anton Puzanov, <[email protected]> > wrote: > >> I have tried it right now and TLSv1 is still available. Running the >> openssl command shows the server certificate. >> I check for the protocols using nmap (-sV) which shows support for TLSv1, >> TLSv1.1, TLSv1.2 >> >> On Tue, Sep 3, 2019 at 1:41 PM bappa kon <[email protected]> wrote: >> >>> Can you share the output of below command?. >>> >>> openssl s_client -connect hostname:8190 -tls1 >>> >>> Also, have you already tried below in custom yarn-site xml? >>> >>> ssl.exclude.protocol=TLSv1,TLSv1.1 >>> >>> Thanks >>> >>> On Mon, 2 Sep 2019, 20:22 Anton Puzanov, <[email protected]> >>> wrote: >>> >>>> Hi, >>>> >>>> I have been requested to disable TLSv1 and TLSv1.1 from our Yarn >>>> service. >>>> Some background: we run a HDP cluster version 2.6.3.0-235 >>>> After scrapping the web for the specific configuration I need to >>>> disable the algorithms, the only solution I found is to configure >>>> "jdk.tls.disabledAlgorithms. >>>> >>>> I have set it both in "java.security" file and in the jvm arguments >>>> themselves (via yarn-env setting in Ambari). >>>> >>>> In java.security: jdk.tls.disabledAlgorithms=TLSv1, SSLv3, RC4, DES, >>>> MD5withRSA, DH keySize < 1024, \ >>>> EC keySize < 224, 3DES_EDE_CBC, anon, NULL, SSL, SSLv2, TLSv1.1 >>>> >>>> When I check the running process I see the following jvm arguments (due >>>> to the setting in yarn-env): /usr/jdk64/jdk1.8.0_112/bin/java >>>> -Dproc_resourcemanager -Xmx1024m -Dzookeeper.sasl.client=true >>>> -Dzookeeper.sasl.client.username=zookeeper >>>> -Djava.security.auth.login.config=/etc/hadoop/2.6.3.0-235/0/yarn_jaas.conf >>>> -Dzookeeper.sasl.clientconfig=Client -Dhdp.version=2.6.3.0-235 >>>> *-Djdk.tls.disabledAlgorithms=TLSv1,TLSv1.1* -Dhadoop... >>>> >>>> But, when I check the supported TLS versions on the resource manager >>>> port (8190 in my case), TLSv1 and TLSv1.1 are still supported. >>>> >>>> Any help, ideas, and suggestions on how to correctly configure the TLS >>>> version support would be appreciated. >>>> >>>>
