Repository: hadoop Updated Branches: refs/heads/branch-2 2ac5aab8d -> 85f7b7e8e
HADOOP-14242. Make KMS Tomcat SSL property sslEnabledProtocols and clientAuth configurable. Contributed by John Zhuge. Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/145d716a Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/145d716a Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/145d716a Branch: refs/heads/branch-2 Commit: 145d716a2b62259c918ba50bb4bdc014e572bb2b Parents: 2ac5aab Author: John Zhuge <jzh...@apache.org> Authored: Fri May 12 10:40:32 2017 -0700 Committer: John Zhuge <jzh...@apache.org> Committed: Thu May 18 18:03:54 2017 -0700 ---------------------------------------------------------------------- .../hadoop-kms/src/main/conf/kms-env.sh | 13 +++++++++++++ .../hadoop-kms/src/main/libexec/kms-config.sh | 14 ++++++++++++++ .../hadoop-kms/src/main/sbin/kms.sh | 3 +++ .../hadoop-kms/src/main/tomcat/ssl-server.xml | 3 ++- .../hadoop-kms/src/site/markdown/index.md.vm | 15 ++++++++++++--- 5 files changed, 44 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/145d716a/hadoop-common-project/hadoop-kms/src/main/conf/kms-env.sh ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-kms/src/main/conf/kms-env.sh b/hadoop-common-project/hadoop-kms/src/main/conf/kms-env.sh index 7deee5d..df5a904 100644 --- a/hadoop-common-project/hadoop-kms/src/main/conf/kms-env.sh +++ b/hadoop-common-project/hadoop-kms/src/main/conf/kms-env.sh @@ -66,6 +66,19 @@ # # export KMS_MAX_HTTP_HEADER_SIZE=65536 +# Set to 'true' if you want the SSL stack to require a valid certificate chain +# from the client before accepting a connection. Set to 'want' if you want the +# SSL stack to request a client Certificate, but not fail if one isn't +# presented. A 'false' value (which is the default) will not require a +# certificate chain unless the client requests a resource protected by a +# security constraint that uses CLIENT-CERT authentication. +# +# export KMS_SSL_CLIENT_AUTH=false + +# The comma separated list of SSL protocols to support +# +# export KMS_SSL_ENABLED_PROTOCOLS="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello" + # The comma separated list of encryption ciphers for SSL # # export KMS_SSL_CIPHERS= http://git-wip-us.apache.org/repos/asf/hadoop/blob/145d716a/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh b/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh index 210b87a..41eae0e 100644 --- a/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh +++ b/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh @@ -177,6 +177,20 @@ else print "Using KMS_MAX_HTTP_HEADER_SIZE: ${KMS_MAX_HTTP_HEADER_SIZE}" fi +if [ "${KMS_SSL_CLIENT_AUTH}" = "" ]; then + export KMS_SSL_CLIENT_AUTH="false" + print "Setting KMS_SSL_CLIENT_AUTH: ${KMS_SSL_CLIENT_AUTH}" +else + print "Using KMS_SSL_CLIENT_AUTH: ${KMS_SSL_CLIENT_AUTH}" +fi + +if [ "${KMS_SSL_ENABLED_PROTOCOLS}" = "" ]; then + export KMS_SSL_ENABLED_PROTOCOLS="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello" + print "Setting KMS_SSL_ENABLED_PROTOCOLS: ${KMS_SSL_ENABLED_PROTOCOLS}" +else + print "Using KMS_SSL_ENABLED_PROTOCOLS: ${KMS_SSL_ENABLED_PROTOCOLS}" +fi + if [ "${KMS_SSL_CIPHERS}" = "" ]; then export KMS_SSL_CIPHERS="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" KMS_SSL_CIPHERS+=",TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" http://git-wip-us.apache.org/repos/asf/hadoop/blob/145d716a/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh b/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh index f93f34b..ce3c136 100644 --- a/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh +++ b/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh @@ -87,6 +87,9 @@ if [[ "${1}" = "start" || "${1}" = "run" ]]; then "${KMS_ACCEPTOR_THREAD_COUNT}" catalina_set_property "kms.max.http.header.size" \ "${KMS_MAX_HTTP_HEADER_SIZE}" + catalina_set_property "kms.ssl.client.auth" "${KMS_SSL_CLIENT_AUTH}" + catalina_set_property "kms.ssl.enabled.protocols" \ + "${KMS_SSL_ENABLED_PROTOCOLS}" catalina_set_property "kms.ssl.ciphers" "${KMS_SSL_CIPHERS}" catalina_set_property "kms.ssl.keystore.file" "${KMS_SSL_KEYSTORE_FILE}" http://git-wip-us.apache.org/repos/asf/hadoop/blob/145d716a/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml b/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml index 6c28c7d..73be5f8 100644 --- a/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml +++ b/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml @@ -73,7 +73,8 @@ acceptCount="${kms.accept.count}" acceptorThreadCount="${kms.acceptor.thread.count}" maxHttpHeaderSize="${kms.max.http.header.size}" - clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello" + clientAuth="${kms.ssl.client.auth}" + sslEnabledProtocols="${kms.ssl.enabled.protocols}" ciphers="${kms.ssl.ciphers}" truststorePass="${kms.ssl.truststore.pass}" keystoreFile="${kms.ssl.keystore.file}" http://git-wip-us.apache.org/repos/asf/hadoop/blob/145d716a/hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm b/hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm index bfe1b88..74e84a8 100644 --- a/hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm +++ b/hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm @@ -301,11 +301,20 @@ The answer to "What is your first and last name?" (i.e. "CN") must be the hostna NOTE: You need to restart the KMS for the configuration changes to take effect. + +Set environment variable `KMS_SSL_CLIENT_AUTH` to change client +authentication. The default is `false`. See `clientAuth` in +[Tomcat 6.0 SSL Support](https://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support). + +Set environment variable `KMS_SSL_ENABLED_PROTOCOLS` to specify a list of +enabled SSL protocols. The default list includes `TLSv1`, `TLSv1.1`, +`TLSv1.2`, and `SSLv2Hello`. See `sslEnabledProtocols` in +[Tomcat 6.0 SSL Support](https://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support). + In order to support some old SSL clients, the default encryption ciphers include a few relatively weaker ciphers. Set environment variable -`KMS_SSL_CIPHERS` or property `kms.ssl.ciphers` to override. The value is a -comma separated list of ciphers documented in this -[Tomcat Wiki](https://wiki.apache.org/tomcat/Security/Ciphers). +`KMS_SSL_CIPHERS` to override. The value is a comma separated list of ciphers +documented in [Tomcat Wiki](https://wiki.apache.org/tomcat/Security/Ciphers). $H4 ACLs (Access Control Lists) --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-commits-h...@hadoop.apache.org
