Repository: incubator-atlas Updated Branches: refs/heads/master 648c8d8f6 -> 95590d230
ATLAS-349 SSL - Atlas SSL connection has weak/unsafe Ciphers suites (ndjouhr via shwethags) Project: http://git-wip-us.apache.org/repos/asf/incubator-atlas/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-atlas/commit/95590d23 Tree: http://git-wip-us.apache.org/repos/asf/incubator-atlas/tree/95590d23 Diff: http://git-wip-us.apache.org/repos/asf/incubator-atlas/diff/95590d23 Branch: refs/heads/master Commit: 95590d23017523cc006359fe5b5be389c7aa0c0b Parents: 648c8d8 Author: Shwetha GS <[email protected]> Authored: Mon Feb 22 11:54:35 2016 +0530 Committer: Shwetha GS <[email protected]> Committed: Mon Feb 22 11:54:35 2016 +0530 ---------------------------------------------------------------------- .../org/apache/atlas/security/SecurityProperties.java | 6 ++++++ docs/src/site/twiki/security.twiki | 1 + release-log.txt | 1 + .../apache/atlas/web/service/SecureEmbeddedServer.java | 11 +++++++++-- 4 files changed, 17 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/95590d23/client/src/main/java/org/apache/atlas/security/SecurityProperties.java ---------------------------------------------------------------------- diff --git a/client/src/main/java/org/apache/atlas/security/SecurityProperties.java b/client/src/main/java/org/apache/atlas/security/SecurityProperties.java index 5029e12..b6c8c9b 100644 --- a/client/src/main/java/org/apache/atlas/security/SecurityProperties.java +++ b/client/src/main/java/org/apache/atlas/security/SecurityProperties.java @@ -17,6 +17,9 @@ */ package org.apache.atlas.security; +import java.util.Arrays; +import java.util.List; + /** * */ @@ -33,4 +36,7 @@ public interface SecurityProperties { String CERT_STORES_CREDENTIAL_PROVIDER_PATH = "cert.stores.credential.provider.path"; String SSL_CLIENT_PROPERTIES = "ssl-client.xml"; String BIND_ADDRESS = "atlas.server.bind.address"; + String ATLAS_SSL_EXCLUDE_CIPHER_SUITES = "atlas.ssl.exclude.cipher.suites"; + List<String> DEFAULT_CIPHER_SUITES = Arrays.asList(".*NULL.*", ".*RC4.*", ".*MD5.*",".*DES.*",".*DSS.*"); + } http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/95590d23/docs/src/site/twiki/security.twiki ---------------------------------------------------------------------- diff --git a/docs/src/site/twiki/security.twiki b/docs/src/site/twiki/security.twiki index fc61402..d80f5c6 100755 --- a/docs/src/site/twiki/security.twiki +++ b/docs/src/site/twiki/security.twiki @@ -17,6 +17,7 @@ Both SSL one-way (server authentication) and two-way (server and client authenti * <code>truststore.file</code> - the path to the truststore file. This file contains the certificates of other trusted entities (e.g. the certificates for client processes if two-way SSL is enabled). In most instances this can be set to the same value as the keystore.file property (especially if one-way SSL is enabled). * <code>client.auth.enabled</code> (false|true) [default: false] - enable/disable client authentication. If enabled, the client will have to authenticate to the server during the transport session key creation process (i.e. two-way SSL is in effect). * <code>cert.stores.credential.provider.path</code> - the path to the Credential Provider store file. The passwords for the keystore, truststore, and server certificate are maintained in this secure file. Utilize the cputil script in the 'bin' directoy (see below) to populate this file with the passwords required. + * <code>atlas.ssl.exclude.cipher.suites</code> - the excluded Cipher Suites list - *NULL.*,.*RC4.*,.*MD5.*,.*DES.*,.*DSS.* are weak and unsafe Cipher Suites that are excluded by default. If additional Ciphers need to be excluded, set this property with the default Cipher Suites such as atlas.ssl.exclude.cipher.suites=.*NULL.*, .*RC4.*, .*MD5.*, .*DES.*, .*DSS.*, and add the additional Ciper Suites to the list with a comma separator. They can be added with their full name or a regular expression. The Cipher Suites listed in the atlas.ssl.exclude.cipher.suites property will have precedence over the default Cipher Suites. One would keep the default Cipher Suites, and add additional ones to be safe. ---++++ Credential Provider Utility Script http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/95590d23/release-log.txt ---------------------------------------------------------------------- diff --git a/release-log.txt b/release-log.txt index 52391ba..3006aa5 100644 --- a/release-log.txt +++ b/release-log.txt @@ -5,6 +5,7 @@ Apache Atlas Release Notes INCOMPATIBLE CHANGES: ATLAS-409 Atlas will not import avro tables with schema read from a file ([email protected] via shwethags) ATLAS-379 Create sqoop and falcon metadata addons (venkatnrangan,bvellanki,sowmyaramesh via shwethags) +ATLAS-349 SSL - Atlas SSL connection has weak/unsafe Ciphers suites (ndjouhr via shwethags) ALL CHANGES: ATLAS-318 Config file conatining API endpoint + all api calls to be centralized (sanjayp via sumasai) http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/95590d23/webapp/src/main/java/org/apache/atlas/web/service/SecureEmbeddedServer.java ---------------------------------------------------------------------- diff --git a/webapp/src/main/java/org/apache/atlas/web/service/SecureEmbeddedServer.java b/webapp/src/main/java/org/apache/atlas/web/service/SecureEmbeddedServer.java index 8a3faff..b433e71 100755 --- a/webapp/src/main/java/org/apache/atlas/web/service/SecureEmbeddedServer.java +++ b/webapp/src/main/java/org/apache/atlas/web/service/SecureEmbeddedServer.java @@ -35,6 +35,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import java.io.IOException; +import java.util.List; import static org.apache.atlas.security.SecurityProperties.CERT_STORES_CREDENTIAL_PROVIDER_PATH; import static org.apache.atlas.security.SecurityProperties.CLIENT_AUTH_KEY; @@ -45,6 +46,8 @@ import static org.apache.atlas.security.SecurityProperties.KEYSTORE_PASSWORD_KEY import static org.apache.atlas.security.SecurityProperties.SERVER_CERT_PASSWORD_KEY; import static org.apache.atlas.security.SecurityProperties.TRUSTSTORE_FILE_KEY; import static org.apache.atlas.security.SecurityProperties.TRUSTSTORE_PASSWORD_KEY; +import static org.apache.atlas.security.SecurityProperties.ATLAS_SSL_EXCLUDE_CIPHER_SUITES; +import static org.apache.atlas.security.SecurityProperties.DEFAULT_CIPHER_SUITES; /** * This is a jetty server which requires client auth via certificates. @@ -62,14 +65,18 @@ public class SecureEmbeddedServer extends EmbeddedServer { SslContextFactory sslContextFactory = new SslContextFactory(); sslContextFactory.setKeyStorePath(config.getString(KEYSTORE_FILE_KEY, - System.getProperty(KEYSTORE_FILE_KEY, DEFAULT_KEYSTORE_FILE_LOCATION))); + System.getProperty(KEYSTORE_FILE_KEY, DEFAULT_KEYSTORE_FILE_LOCATION))); sslContextFactory.setKeyStorePassword(getPassword(config, KEYSTORE_PASSWORD_KEY)); sslContextFactory.setKeyManagerPassword(getPassword(config, SERVER_CERT_PASSWORD_KEY)); sslContextFactory.setTrustStorePath(config.getString(TRUSTSTORE_FILE_KEY, - System.getProperty(TRUSTSTORE_FILE_KEY, DEFATULT_TRUSTORE_FILE_LOCATION))); + System.getProperty(TRUSTSTORE_FILE_KEY, DEFATULT_TRUSTORE_FILE_LOCATION))); sslContextFactory.setTrustStorePassword(getPassword(config, TRUSTSTORE_PASSWORD_KEY)); sslContextFactory.setWantClientAuth(config.getBoolean(CLIENT_AUTH_KEY, Boolean.getBoolean(CLIENT_AUTH_KEY))); + List<Object> cipherList = config.getList(ATLAS_SSL_EXCLUDE_CIPHER_SUITES, DEFAULT_CIPHER_SUITES); + sslContextFactory.setExcludeCipherSuites(cipherList.toArray(new String[cipherList.size()])); + sslContextFactory.setRenegotiationAllowed(false); + // SSL HTTP Configuration // HTTP Configuration HttpConfiguration http_config = new HttpConfiguration();
