Thats strange, I'm assuming your resource manager running on 8190 port as by default it is timeline server port in HDP.
Sorry but I have last thing to test. Can you add below is core-site xml file and restart all hadoop processes? hadoop.ssl.enabled.protocols=TLSv1.2 Thanks On Tue, 3 Sep 2019, 12:53 Anton Puzanov, <antonpuzdeve...@gmail.com> wrote: > I have tried it right now and TLSv1 is still available. Running the > openssl command shows the server certificate. > I check for the protocols using nmap (-sV) which shows support for TLSv1, > TLSv1.1, TLSv1.2 > > On Tue, Sep 3, 2019 at 1:41 PM bappa kon <oracle...@gmail.com> wrote: > >> Can you share the output of below command?. >> >> openssl s_client -connect hostname:8190 -tls1 >> >> Also, have you already tried below in custom yarn-site xml? >> >> ssl.exclude.protocol=TLSv1,TLSv1.1 >> >> Thanks >> >> On Mon, 2 Sep 2019, 20:22 Anton Puzanov, <antonpuzdeve...@gmail.com> >> wrote: >> >>> Hi, >>> >>> I have been requested to disable TLSv1 and TLSv1.1 from our Yarn service. >>> Some background: we run a HDP cluster version 2.6.3.0-235 >>> After scrapping the web for the specific configuration I need to disable >>> the algorithms, the only solution I found is to configure >>> "jdk.tls.disabledAlgorithms. >>> >>> I have set it both in "java.security" file and in the jvm arguments >>> themselves (via yarn-env setting in Ambari). >>> >>> In java.security: jdk.tls.disabledAlgorithms=TLSv1, SSLv3, RC4, DES, >>> MD5withRSA, DH keySize < 1024, \ >>> EC keySize < 224, 3DES_EDE_CBC, anon, NULL, SSL, SSLv2, TLSv1.1 >>> >>> When I check the running process I see the following jvm arguments (due >>> to the setting in yarn-env): /usr/jdk64/jdk1.8.0_112/bin/java >>> -Dproc_resourcemanager -Xmx1024m -Dzookeeper.sasl.client=true >>> -Dzookeeper.sasl.client.username=zookeeper >>> -Djava.security.auth.login.config=/etc/hadoop/2.6.3.0-235/0/yarn_jaas.conf >>> -Dzookeeper.sasl.clientconfig=Client -Dhdp.version=2.6.3.0-235 >>> *-Djdk.tls.disabledAlgorithms=TLSv1,TLSv1.1* -Dhadoop... >>> >>> But, when I check the supported TLS versions on the resource manager >>> port (8190 in my case), TLSv1 and TLSv1.1 are still supported. >>> >>> Any help, ideas, and suggestions on how to correctly configure the TLS >>> version support would be appreciated. >>> >>>
