Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 2E41E200C44 for ; Mon, 27 Mar 2017 14:25:49 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 2CDDF160B85; Mon, 27 Mar 2017 12:25:49 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 7285F160B5D for ; Mon, 27 Mar 2017 14:25:48 +0200 (CEST) Received: (qmail 30572 invoked by uid 500); 27 Mar 2017 12:25:47 -0000 Mailing-List: contact issues-help@ambari.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ambari.apache.org Delivered-To: mailing list issues@ambari.apache.org Received: (qmail 30563 invoked by uid 99); 27 Mar 2017 12:25:47 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 27 Mar 2017 12:25:47 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 30131C0D5B for ; Mon, 27 Mar 2017 12:25:47 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -99.202 X-Spam-Level: X-Spam-Status: No, score=-99.202 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id xoKCRK4Mazof for ; Mon, 27 Mar 2017 12:25:46 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id B98225F610 for ; Mon, 27 Mar 2017 12:25:45 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id D891AE002F for ; Mon, 27 Mar 2017 12:25:42 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 5E84F21DB8 for ; Mon, 27 Mar 2017 12:25:42 +0000 (UTC) Date: Mon, 27 Mar 2017 12:25:41 +0000 (UTC) From: "Attila Magyar (JIRA)" To: issues@ambari.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (AMBARI-20583) Allow for larger Ephemeral DH Keys in Ambari server running on JVM versions 1.8 and above MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Mon, 27 Mar 2017 12:25:49 -0000 [ https://issues.apache.org/jira/browse/AMBARI-20583?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Attila Magyar updated AMBARI-20583: ----------------------------------- Attachment: AMBARI-20583.patch > Allow for larger Ephemeral DH Keys in Ambari server running on JVM versions 1.8 and above > ------------------------------------------------------------------------------------------ > > Key: AMBARI-20583 > URL: https://issues.apache.org/jira/browse/AMBARI-20583 > Project: Ambari > Issue Type: Task > Components: ambari-server > Reporter: Attila Magyar > Assignee: Attila Magyar > Attachments: AMBARI-20583.patch > > > Allow for larger Ephemeral DH Keys in Ambari server running on JVM versions 1.8 and above. > This can already be done by manually editing the ambari-env.sh file (/var/lib/ambari-server/ambari-env.sh) and adding the following to the AMBARI_JVM_ARGS environment variable: > -Djdk.tls.ephemeralDHKeySize=2048 > The jdk.tls.ephemeralDHKeySize property is only available in Java VM versions 1.8 and above. However it may not be supported in by all Java vendors. Both Oracle and OpenJDK JVM appear to support it. > See https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#customizing_dh_keys for more information. > To help users set this value, Ambari should provide a property in the ambari.properties file. If a supported JVM is in use, Ambari should internally set the System property (before creating the embedded web server) as specified by the user. A possible Ambari property name could be security.server.tls.ephemeral_dh_key_size. If not set, it's default value should be 2048. > To test the Ephemeral DH key size, the OpenSSL s_client utility may be used to query the Ambari server's HTTPS port(s): > openssl s_client -connect `hostname -f`:8441 -cipher "EDH" -- This message was sent by Atlassian JIRA (v6.3.15#6346)