Repository: ambari Updated Branches: refs/heads/branch-2.5 51b3eed43 -> 74638c378
AMBARI-20583. Allow for larger Ephemeral DH Keys in Ambari server running on JVM versions 1.8 and above (Attila Magyar via sandor_magyari) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/74638c37 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/74638c37 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/74638c37 Branch: refs/heads/branch-2.5 Commit: 74638c378d816cf4e27a2a09aa1ffcfbe11f98f1 Parents: 51b3eed Author: Attila Magyar <amag...@hortonworks.com> Authored: Tue Mar 28 19:10:40 2017 +0200 Committer: Sandor Magyari <smagy...@hortonworks.com> Committed: Thu Mar 30 12:13:37 2017 +0200 ---------------------------------------------------------------------- ambari-server/docs/configuration/index.md | 1 + .../server/configuration/Configuration.java | 20 ++++++++++++++++++ .../ambari/server/controller/AmbariServer.java | 3 +++ .../server/configuration/ConfigurationTest.java | 22 ++++++++++++++++++++ 4 files changed, 46 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/74638c37/ambari-server/docs/configuration/index.md ---------------------------------------------------------------------- diff --git a/ambari-server/docs/configuration/index.md b/ambari-server/docs/configuration/index.md index f836fc9..ded6178 100644 --- a/ambari-server/docs/configuration/index.md +++ b/ambari-server/docs/configuration/index.md @@ -190,6 +190,7 @@ The following are the properties which can be used to configure Ambari. | security.server.one_way_ssl.port | The port that the Ambari Agents will use to communicate with the Ambari Server over SSL. |`8440` | | security.server.passphrase | The password to the Ambari Server to supply to new Ambari Agent hosts being bootstrapped. |`AMBARI_PASSPHRASE` | | security.server.passphrase_env_var | An environment variable which can be used to supply the Ambari Server password when bootstrapping new Ambari Agents. |`AMBARI_PASSPHRASE` | +| security.server.tls.ephemeral_dh_key_size | The Ephemeral TLS Diffie-Hellman (DH) key size. Supported from Java 8. |`2048` | | security.server.truststore_name | The name of the truststore file ambari uses to store trusted certificates. Located in `security.server.keys_dir` |`keystore.p12` | | security.server.truststore_type | The type of the truststore file specified in `security.server.truststore_name`. Self-signed certificates can be `PKCS12` while CA signed certificates are `JKS` |`PKCS12` | | security.server.two_way_ssl | Determines whether two-way SSL should be used between Ambari Server and Ambari Agents so that the agents must also use SSL. |`false` | http://git-wip-us.apache.org/repos/asf/ambari/blob/74638c37/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java index 3166121..b3088eb 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java @@ -2644,6 +2644,14 @@ public class Configuration { public static final ConfigurationProperty<Integer> SERVER_STARTUP_WEB_TIMEOUT = new ConfigurationProperty<>( "server.startup.web.timeout", 50); + /** + * The Ephemeral TLS Diffie-Hellman (DH) key size. + * Supported from Java 8. + */ + @Markdown(description = "The Ephemeral TLS Diffie-Hellman (DH) key size. Supported from Java 8.") + public static final ConfigurationProperty<Integer> TLS_EPHEMERAL_DH_KEY_SIZE = new ConfigurationProperty<>( + "security.server.tls.ephemeral_dh_key_size", 2048); + private static final Logger LOG = LoggerFactory.getLogger( Configuration.class); @@ -2961,6 +2969,7 @@ public class Configuration { configsMap.put(KDC_PORT.getKey(), getProperty(KDC_PORT)); configsMap.put(AGENT_PACKAGE_PARALLEL_COMMANDS_LIMIT.getKey(), getProperty(AGENT_PACKAGE_PARALLEL_COMMANDS_LIMIT)); configsMap.put(PROXY_ALLOWED_HOST_PORTS.getKey(), getProperty(PROXY_ALLOWED_HOST_PORTS)); + configsMap.put(TLS_EPHEMERAL_DH_KEY_SIZE.getKey(), getProperty(TLS_EPHEMERAL_DH_KEY_SIZE)); File passFile = new File( configsMap.get(SRVR_KSTR_DIR.getKey()) + File.separator @@ -5450,6 +5459,17 @@ public class Configuration { } /** + * @return Ephemeral TLS DH key size + */ + public int getTlsEphemeralDhKeySize() { + int keySize = NumberUtils.toInt(getProperty(TLS_EPHEMERAL_DH_KEY_SIZE)); + if (keySize == 0) { + throw new IllegalArgumentException("Invalid " + TLS_EPHEMERAL_DH_KEY_SIZE + " " + getProperty(TLS_EPHEMERAL_DH_KEY_SIZE)); + } + return keySize; + } + + /** * Generates a markdown table which includes: * <ul> * <li>Property key name</li> http://git-wip-us.apache.org/repos/asf/ambari/blob/74638c37/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java index b4ae241..7874365 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java @@ -287,6 +287,9 @@ public class AmbariServer { static void setSystemProperties(Configuration configs) { // modify location of temporary dir to avoid using default /tmp dir System.setProperty("java.io.tmpdir", configs.getServerTempDir()); + if (configs.getJavaVersion() >= 8) { + System.setProperty("jdk.tls.ephemeralDHKeySize", String.valueOf(configs.getTlsEphemeralDhKeySize())); + } } public static AmbariManagementController getController() { http://git-wip-us.apache.org/repos/asf/ambari/blob/74638c37/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java b/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java index b9288d2..971c33a 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/configuration/ConfigurationTest.java @@ -1052,4 +1052,26 @@ public class ConfigurationTest { new Configuration(properties); } + + + @Test(expected = IllegalArgumentException.class) + public void testRejectsInvalidDtKeySize() { + Properties properties = new Properties(); + properties.put(Configuration.TLS_EPHEMERAL_DH_KEY_SIZE.getKey(), "invalid"); + new Configuration(properties).getTlsEphemeralDhKeySize(); + } + + @Test + public void testDefaultDhKeySizeIs2048() { + Properties properties = new Properties(); + Assert.assertEquals(2048, new Configuration(properties).getTlsEphemeralDhKeySize()); + } + + @Test + public void testOverridingDhtKeySize() { + Properties properties = new Properties(); + properties.put(Configuration.TLS_EPHEMERAL_DH_KEY_SIZE.getKey(), "1024"); + Assert.assertEquals(1024, new Configuration(properties).getTlsEphemeralDhKeySize()); + } + }
