AMBARI-20583. Allow for larger Ephemeral DH Keys in Ambari server running on 
JVM versions 1.8 and above (Attila Magyar via sandor_magyari)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/165ec700
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/165ec700
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/165ec700

Branch: refs/heads/branch-dev-logsearch
Commit: 165ec700f0f4e5c83a30bb7591df0fa1a8cfec9a
Parents: 8842be0
Author: Attila Magyar <amag...@hortonworks.com>
Authored: Tue Mar 28 19:10:40 2017 +0200
Committer: Sandor Magyari <smagy...@hortonworks.com>
Committed: Tue Mar 28 19:10:40 2017 +0200

----------------------------------------------------------------------
 ambari-server/docs/configuration/index.md       |  1 +
 .../server/configuration/Configuration.java     | 20 +++++++++++++++++++
 .../ambari/server/controller/AmbariServer.java  |  3 +++
 .../server/configuration/ConfigurationTest.java | 21 ++++++++++++++++++++
 4 files changed, 45 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/165ec700/ambari-server/docs/configuration/index.md
----------------------------------------------------------------------
diff --git a/ambari-server/docs/configuration/index.md 
b/ambari-server/docs/configuration/index.md
index 90865b6..ff9ce54 100644
--- a/ambari-server/docs/configuration/index.md
+++ b/ambari-server/docs/configuration/index.md
@@ -195,6 +195,7 @@ The following are the properties which can be used to 
configure Ambari.
 | security.server.one_way_ssl.port | The port that the Ambari Agents will use 
to communicate with the Ambari Server over SSL. |`8440` | 
 | security.server.passphrase | The password to the Ambari Server to supply to 
new Ambari Agent hosts being bootstrapped. |`AMBARI_PASSPHRASE` | 
 | security.server.passphrase_env_var | An environment variable which can be 
used to supply the Ambari Server password when bootstrapping new Ambari Agents. 
|`AMBARI_PASSPHRASE` | 
+| security.server.tls.ephemeral_dh_key_size | The Ephemeral TLS Diffie-Hellman 
(DH) key size. Supported from Java 8. |`2048` | 
 | security.server.truststore_name | The name of the truststore file ambari 
uses to store trusted certificates. Located in `security.server.keys_dir` 
|`keystore.p12` | 
 | security.server.truststore_type | The type of the truststore file specified 
in `security.server.truststore_name`. Self-signed certificates can be `PKCS12` 
while CA signed certificates are `JKS` |`PKCS12` | 
 | security.server.two_way_ssl | Determines whether two-way SSL should be used 
between Ambari Server and Ambari Agents so that the agents must also use SSL. 
|`false` | 

http://git-wip-us.apache.org/repos/asf/ambari/blob/165ec700/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
----------------------------------------------------------------------
diff --git 
a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
 
b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
index 93ebd9a..537b993 100644
--- 
a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
+++ 
b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java
@@ -2687,6 +2687,14 @@ public class Configuration {
   public static final ConfigurationProperty<Integer> 
SERVER_STARTUP_WEB_TIMEOUT = new ConfigurationProperty<>(
     "server.startup.web.timeout", 50);
 
+  /**
+   * The Ephemeral TLS Diffie-Hellman (DH) key size.
+   * Supported from Java 8.
+   */
+  @Markdown(description = "The Ephemeral TLS Diffie-Hellman (DH) key size. 
Supported from Java 8.")
+  public static final ConfigurationProperty<Integer> TLS_EPHEMERAL_DH_KEY_SIZE 
= new ConfigurationProperty<>(
+    "security.server.tls.ephemeral_dh_key_size", 2048);
+
   private static final Logger LOG = LoggerFactory.getLogger(
     Configuration.class);
 
@@ -2874,6 +2882,7 @@ public class Configuration {
     configsMap.put(KDC_PORT.getKey(), getProperty(KDC_PORT));
     configsMap.put(AGENT_PACKAGE_PARALLEL_COMMANDS_LIMIT.getKey(), 
getProperty(AGENT_PACKAGE_PARALLEL_COMMANDS_LIMIT));
     configsMap.put(PROXY_ALLOWED_HOST_PORTS.getKey(), 
getProperty(PROXY_ALLOWED_HOST_PORTS));
+    configsMap.put(TLS_EPHEMERAL_DH_KEY_SIZE.getKey(), 
getProperty(TLS_EPHEMERAL_DH_KEY_SIZE));
 
     File passFile = new File(
         configsMap.get(SRVR_KSTR_DIR.getKey()) + File.separator
@@ -5559,6 +5568,17 @@ public class Configuration {
   }
 
   /**
+   * @return Ephemeral TLS DH key size
+   */
+  public int getTlsEphemeralDhKeySize() {
+    int keySize = NumberUtils.toInt(getProperty(TLS_EPHEMERAL_DH_KEY_SIZE));
+    if (keySize == 0) {
+      throw new IllegalArgumentException("Invalid " + 
TLS_EPHEMERAL_DH_KEY_SIZE + " " + getProperty(TLS_EPHEMERAL_DH_KEY_SIZE));
+    }
+    return keySize;
+  }
+
+  /**
    * Generates a markdown table which includes:
    * <ul>
    * <li>Property key name</li>

http://git-wip-us.apache.org/repos/asf/ambari/blob/165ec700/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
----------------------------------------------------------------------
diff --git 
a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
 
b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
index 1f1689a..4e7af0c 100644
--- 
a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
+++ 
b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
@@ -292,6 +292,9 @@ public class AmbariServer {
   static void setSystemProperties(Configuration configs) {
     // modify location of temporary dir to avoid using default /tmp dir
     System.setProperty("java.io.tmpdir", configs.getServerTempDir());
+    if (configs.getJavaVersion() >= 8) {
+      System.setProperty("jdk.tls.ephemeralDHKeySize", 
String.valueOf(configs.getTlsEphemeralDhKeySize()));
+    }
   }
 
   public static AmbariManagementController getController() {

http://git-wip-us.apache.org/repos/asf/ambari/blob/165ec700/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java
----------------------------------------------------------------------
diff --git 
a/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java
 
b/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java
index 7d2ebb5..1b8de79 100644
--- 
a/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java
+++ 
b/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java
@@ -1063,4 +1063,25 @@ public class ConfigurationTest {
           StringUtils.isEmpty(markdown.description()));
     }
   }
+
+  @Test(expected = IllegalArgumentException.class)
+  public void testRejectsInvalidDtKeySize() {
+    Properties properties = new Properties();
+    properties.put(Configuration.TLS_EPHEMERAL_DH_KEY_SIZE.getKey(), 
"invalid");
+    new Configuration(properties).getTlsEphemeralDhKeySize();
+  }
+
+  @Test
+  public void testDefaultDhKeySizeIs2048() {
+    Properties properties = new Properties();
+    Assert.assertEquals(2048, new 
Configuration(properties).getTlsEphemeralDhKeySize());
+  }
+
+  @Test
+  public void testOverridingDhtKeySize() {
+    Properties properties = new Properties();
+    properties.put(Configuration.TLS_EPHEMERAL_DH_KEY_SIZE.getKey(), "1024");
+    Assert.assertEquals(1024, new 
Configuration(properties).getTlsEphemeralDhKeySize());
+  }
+
 }

Reply via email to