Learn about the known issues in ZooKeeper, the impact or changes to the functionality,
and the workaround.
- Zookeeper-client does not use ZooKeeper TLS/SSL automatically
- The command-line tool ‘zookeeper-client’ is installed
on all Cloudera nodes and it can be used to start the default Java command line ZooKeeper client. However even
when ZooKeeper TLS/SSL is enabled, the zookeeper-client command connects to
localhost:2181, without using TLS/SSL.
- Manually configure the 2182 port, when zookeeper-client
connects to a ZooKeeper cluster.The following is an example of connecting to a specific
three-node ZooKeeper cluster using TLS/SSL:
CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.ssl.keyStore.location=[***PATH TO YOUR CONFIGURED KEYSTORE***] -Dzookeeper.ssl.keyStore.password=[***PASSWORD YOU CONFIGURED FOR KEYSTORE***] -Dzookeeper.ssl.trustStore.location=[***path to your configured truststore***] -Dzookeeper.ssl.trustStore.password=[***the password you configured for the truststore***] -Dzookeeper.client.secure=true" zookeeper-client -server [***your.zookeeper.server-1***]:2182,[***your.zookeeper.server-2***]:2182,[***your.zookeeper.server-3***]:2182
- TLS v1.3 Support for CDP in Zookeeper
- ZooKeeper does not support TLS v1.3.
- To configure TLS v1.3, add the following properties in the
Server Advanced Configuration Snippet (Safety Valve) for zoo.cfg
file.
ssl.protocol=TLSv1.3
ssl.enabledProtocols=TLSv1.3,TLSv1.2
ssl.ciphersuites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_E
CDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_DHE_RSA_WITH_
AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256
