ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (AMBARI-22417) Ambari checks fail with FIPS mode is activated on the OS
Date Mon, 13 Nov 2017 10:23:00 GMT

     [ https://issues.apache.org/jira/browse/AMBARI-22417?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Robert Levas updated AMBARI-22417:
----------------------------------
    Resolution: Fixed
        Status: Resolved  (was: Patch Available)

Committed to trunk
{noformat}
commit 5122671d0076612f4b39f4ae51c2ad627544d768 
Author: Robert Levas <rlevas@hortonworks.com>
Date:   Mon Nov 13 05:20:25 2017 -0500
{noformat}

Committed to branch-2.6
{noformat}
commit a9af58a50f4ab07fc0d93fc51893d78ccb8da5f5
Author: Robert Levas <rlevas@hortonworks.com>
Date:   Mon Nov 13 05:21:19 2017 -0500
{noformat}

> Ambari checks fail with FIPS mode is activated on the OS
> --------------------------------------------------------
>
>                 Key: AMBARI-22417
>                 URL: https://issues.apache.org/jira/browse/AMBARI-22417
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-agent, ambari-server
>    Affects Versions: 2.5.1
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>            Priority: Critical
>             Fix For: 2.6.1
>
>         Attachments: AMBARI-22417_branch-2.6_01.patch, AMBARI-22417_trunk_01.patch
>
>
> Ambari checks fail with FIPS mode is activated on the OS (Rhel7). FIPS mode disables
weak ciphers (such as MD5). 
> Ambari code is doing 
> {code}
> ccache_file_name = _md5("
> {0}|{1}".format(principal, keytab)).hexdigest(). MD5 is disabled on the OS (RHEL7) so
ambari throws errors.
> {code}
> - All service checks fail, Ranger KMS start fails via ambari. 
> - However all the services are actually running and fine. 
> - Also Ranger KMS succesfully started from command Line
> Here is the stack trace from Ambari
> {code}
> service_check
> params.kinit_path_local, False, None, params.smoke_user)
> File "/usr/lib/python2.6/site-packages/resource_management/libraries/functions/curl_krb_request.py",
line 109, in curl_krb_request
> ccache_file_name = _md5("{0}
> |
> {1}
> ".format(principal, keytab)).hexdigest()
> ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
> {code}
> Fix: 
> MD5 is disabled on the OS, Code needs to be updated to use SHA?
> This is required when FIPS mode is enabled on the RHEL OS



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message