AMBARI-20583. Allow for larger Ephemeral DH Keys in Ambari server running on JVM versions 1.8 and above (Attila Magyar via sandor_magyari)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/165ec700 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/165ec700 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/165ec700 Branch: refs/heads/branch-dev-logsearch Commit: 165ec700f0f4e5c83a30bb7591df0fa1a8cfec9a Parents: 8842be0 Author: Attila Magyar <amag...@hortonworks.com> Authored: Tue Mar 28 19:10:40 2017 +0200 Committer: Sandor Magyari <smagy...@hortonworks.com> Committed: Tue Mar 28 19:10:40 2017 +0200 ---------------------------------------------------------------------- ambari-server/docs/configuration/index.md | 1 + .../server/configuration/Configuration.java | 20 +++++++++++++++++++ .../ambari/server/controller/AmbariServer.java | 3 +++ .../server/configuration/ConfigurationTest.java | 21 ++++++++++++++++++++ 4 files changed, 45 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/165ec700/ambari-server/docs/configuration/index.md ---------------------------------------------------------------------- diff --git a/ambari-server/docs/configuration/index.md b/ambari-server/docs/configuration/index.md index 90865b6..ff9ce54 100644 --- a/ambari-server/docs/configuration/index.md +++ b/ambari-server/docs/configuration/index.md @@ -195,6 +195,7 @@ The following are the properties which can be used to configure Ambari. | security.server.one_way_ssl.port | The port that the Ambari Agents will use to communicate with the Ambari Server over SSL. |`8440` | | security.server.passphrase | The password to the Ambari Server to supply to new Ambari Agent hosts being bootstrapped. |`AMBARI_PASSPHRASE` | | security.server.passphrase_env_var | An environment variable which can be used to supply the Ambari Server password when bootstrapping new Ambari Agents. |`AMBARI_PASSPHRASE` | +| security.server.tls.ephemeral_dh_key_size | The Ephemeral TLS Diffie-Hellman (DH) key size. Supported from Java 8. |`2048` | | security.server.truststore_name | The name of the truststore file ambari uses to store trusted certificates. Located in `security.server.keys_dir` |`keystore.p12` | | security.server.truststore_type | The type of the truststore file specified in `security.server.truststore_name`. Self-signed certificates can be `PKCS12` while CA signed certificates are `JKS` |`PKCS12` | | security.server.two_way_ssl | Determines whether two-way SSL should be used between Ambari Server and Ambari Agents so that the agents must also use SSL. |`false` | http://git-wip-us.apache.org/repos/asf/ambari/blob/165ec700/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java index 93ebd9a..537b993 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java @@ -2687,6 +2687,14 @@ public class Configuration { public static final ConfigurationProperty<Integer> SERVER_STARTUP_WEB_TIMEOUT = new ConfigurationProperty<>( "server.startup.web.timeout", 50); + /** + * The Ephemeral TLS Diffie-Hellman (DH) key size. + * Supported from Java 8. + */ + @Markdown(description = "The Ephemeral TLS Diffie-Hellman (DH) key size. Supported from Java 8.") + public static final ConfigurationProperty<Integer> TLS_EPHEMERAL_DH_KEY_SIZE = new ConfigurationProperty<>( + "security.server.tls.ephemeral_dh_key_size", 2048); + private static final Logger LOG = LoggerFactory.getLogger( Configuration.class); @@ -2874,6 +2882,7 @@ public class Configuration { configsMap.put(KDC_PORT.getKey(), getProperty(KDC_PORT)); configsMap.put(AGENT_PACKAGE_PARALLEL_COMMANDS_LIMIT.getKey(), getProperty(AGENT_PACKAGE_PARALLEL_COMMANDS_LIMIT)); configsMap.put(PROXY_ALLOWED_HOST_PORTS.getKey(), getProperty(PROXY_ALLOWED_HOST_PORTS)); + configsMap.put(TLS_EPHEMERAL_DH_KEY_SIZE.getKey(), getProperty(TLS_EPHEMERAL_DH_KEY_SIZE)); File passFile = new File( configsMap.get(SRVR_KSTR_DIR.getKey()) + File.separator @@ -5559,6 +5568,17 @@ public class Configuration { } /** + * @return Ephemeral TLS DH key size + */ + public int getTlsEphemeralDhKeySize() { + int keySize = NumberUtils.toInt(getProperty(TLS_EPHEMERAL_DH_KEY_SIZE)); + if (keySize == 0) { + throw new IllegalArgumentException("Invalid " + TLS_EPHEMERAL_DH_KEY_SIZE + " " + getProperty(TLS_EPHEMERAL_DH_KEY_SIZE)); + } + return keySize; + } + + /** * Generates a markdown table which includes: * <ul> * <li>Property key name</li> http://git-wip-us.apache.org/repos/asf/ambari/blob/165ec700/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java index 1f1689a..4e7af0c 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java @@ -292,6 +292,9 @@ public class AmbariServer { static void setSystemProperties(Configuration configs) { // modify location of temporary dir to avoid using default /tmp dir System.setProperty("java.io.tmpdir", configs.getServerTempDir()); + if (configs.getJavaVersion() >= 8) { + System.setProperty("jdk.tls.ephemeralDHKeySize", String.valueOf(configs.getTlsEphemeralDhKeySize())); + } } public static AmbariManagementController getController() { http://git-wip-us.apache.org/repos/asf/ambari/blob/165ec700/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java b/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java index 7d2ebb5..1b8de79 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java @@ -1063,4 +1063,25 @@ public class ConfigurationTest { StringUtils.isEmpty(markdown.description())); } } + + @Test(expected = IllegalArgumentException.class) + public void testRejectsInvalidDtKeySize() { + Properties properties = new Properties(); + properties.put(Configuration.TLS_EPHEMERAL_DH_KEY_SIZE.getKey(), "invalid"); + new Configuration(properties).getTlsEphemeralDhKeySize(); + } + + @Test + public void testDefaultDhKeySizeIs2048() { + Properties properties = new Properties(); + Assert.assertEquals(2048, new Configuration(properties).getTlsEphemeralDhKeySize()); + } + + @Test + public void testOverridingDhtKeySize() { + Properties properties = new Properties(); + properties.put(Configuration.TLS_EPHEMERAL_DH_KEY_SIZE.getKey(), "1024"); + Assert.assertEquals(1024, new Configuration(properties).getTlsEphemeralDhKeySize()); + } + }
