ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Greg Hill (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMBARI-14778) Ambari Server CA should use sha265 as default message digest algorthm
Date Mon, 25 Jan 2016 17:14:40 GMT

    [ https://issues.apache.org/jira/browse/AMBARI-14778?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15115570#comment-15115570
] 

Greg Hill commented on AMBARI-14778:
------------------------------------

I have tested using sha256 with the latest openjdk and everything seems to work fine.  Are
there any concerns that sha256 won't be supported by some supported OS or can we just patch
those 2 ca.config files and call it a day?

> Ambari Server CA should use sha265 as default message digest algorthm
> ---------------------------------------------------------------------
>
>                 Key: AMBARI-14778
>                 URL: https://issues.apache.org/jira/browse/AMBARI-14778
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.1.1
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>             Fix For: 2.2.2
>
>
> The Ambari Server (built-in) CA should use {{SHA265}} as default message digest algorithm
rather than the no longer trusted {{MD5}} and {{SHA1}} digest algorithms.
> To do this, change the following line (in both the unix and windows version of the file):
> {code:title=ambari-server/conf/unix/ca.config}
> default_md             = md5 
> {code}
> To
> {code:title=ambari-server/conf/unix/ca.config}
> default_md             = sha256
> {code}
> Note: This directly affects 2-way SSL between Ambari server and the agents due to security
constraints in newer JVMs, like 
> {noformat}
> openjdk version "1.8.0_71"
> OpenJDK Runtime Environment (build 1.8.0_71-b15)
> OpenJDK 64-Bit Server VM (build 25.71-b15, mixed mode)
> {noformat}
> The following error in the ambari-agent log may indicate that the agent's SSL certificate
is signed using MD5:
> {noformat:title=ambari-agent.log}
> ERROR 2016-01-22 17:01:56,982 Controller.py:186 - Unable to connect to: https://c6501.ambari.apache.org:8441/agent/v1/register/c6502.ambari.apache.org
> Traceback (most recent call last):
>   File "/usr/lib/python2.6/site-packages/ambari_agent/Controller.py", line 140, in registerWithServer
>     ret = self.sendRequest(self.registerUrl, data)
>   File "/usr/lib/python2.6/site-packages/ambari_agent/Controller.py", line 413, in sendRequest
>     raise IOError('Request to {0} failed due to {1}'.format(url, str(exception)))
> IOError: Request to https://c6501.ambari.apache.org:8441/agent/v1/register/c6502.ambari.apache.org
failed due to [Errno 8] _ssl.c:492: EOF occurred in violation of protocol
> ERROR 2016-01-22 17:01:56,982 Controller.py:187 - Error:Request to https://c6501.ambari.apache.org:8441/agent/v1/register/c6502.ambari.apache.org
failed due to [Errno 8] _ssl.c:492: EOF occurred in violation of protocol
> {noformat}
> The following error in the ambari-server log (when logging DEBUG messages) indicates
that the agent's SSL certificate is signed using MD5, which is not supported by the underling
JVM:
> {noformat:title=ambari-server.log}
> 22 Jan 2016 21:09:43,577 DEBUG [qtp-ambari-agent-50] HttpParser:1049 -
> javax.net.ssl.SSLHandshakeException: General SSLEngine problem
>         at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431)
>         at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
>         at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214)
>         at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186)
>         at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
>         at org.eclipse.jetty.io.nio.SslConnection.wrap(SslConnection.java:465)
>         at org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:386)
>         at org.eclipse.jetty.io.nio.SslConnection.access$900(SslConnection.java:48)
>         at org.eclipse.jetty.io.nio.SslConnection$SslEndPoint.fill(SslConnection.java:715)
>         at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1044)
>         at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:280)
>         at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
>         at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
>         at org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196)
>         at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
>         at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
>         at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
>         at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
>         at java.lang.Thread.run(Thread.java:745)
> Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
>         at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>         at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
>         at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)
>         at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
>         at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1909)
>         at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:230)
>         at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
>         at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)
>         at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)
>         at org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:375)
>         ... 12 more
> Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException:
Algorithm constraints check failed: MD5withRSA
>         at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:352)
>         at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:249)
>         at sun.security.validator.Validator.validate(Validator.java:260)
>         at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
>         at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279)
>         at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:130)
>         at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1896)
>         ... 19 more
> Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check
failed: MD5withRSA
>         at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
>         at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:219)
>         at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140)
>         at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79)
>         at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
>         at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:347)
>         ... 25 more
> {noformat}
> *Workaround*
> To work around this, the ambari-agent SSL certificates need to be regenerated using a
more secure digest algorithm, like {{SHA256}}.  To do this, first edit the Ambari server {{ca.config}}
file at {{/var/lib/ambari-server/keys/ca.config}} to change 
> {code}
> default_md             = md5 
> {code}
> to
> {code}
> default_md             = sha256 
> {code}
> The Ambari server does not need to be restarted.
> Then on each host of the cluster, remove the {{crt}} and {{key}} files from {{/var/lib/ambari-agent/keys/}}
and restart the agent. For example:
> {noformat}
> rm /var/lib/ambari-agent/keys/HOSTAME.*
> ambari-agent restart
> {noformat}
> _Replacing HOSTNAME with the name of the relevant host_



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message