atlas-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From shweth...@apache.org
Subject incubator-atlas git commit: ATLAS-349 SSL - Atlas SSL connection has weak/unsafe Ciphers suites (ndjouhr via shwethags)
Date Mon, 22 Feb 2016 06:24:42 GMT
Repository: incubator-atlas
Updated Branches:
  refs/heads/master 648c8d8f6 -> 95590d230


ATLAS-349 SSL - Atlas SSL connection has weak/unsafe Ciphers suites (ndjouhr via shwethags)


Project: http://git-wip-us.apache.org/repos/asf/incubator-atlas/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-atlas/commit/95590d23
Tree: http://git-wip-us.apache.org/repos/asf/incubator-atlas/tree/95590d23
Diff: http://git-wip-us.apache.org/repos/asf/incubator-atlas/diff/95590d23

Branch: refs/heads/master
Commit: 95590d23017523cc006359fe5b5be389c7aa0c0b
Parents: 648c8d8
Author: Shwetha GS <sshivalingamurthy@hortonworks.com>
Authored: Mon Feb 22 11:54:35 2016 +0530
Committer: Shwetha GS <sshivalingamurthy@hortonworks.com>
Committed: Mon Feb 22 11:54:35 2016 +0530

----------------------------------------------------------------------
 .../org/apache/atlas/security/SecurityProperties.java    |  6 ++++++
 docs/src/site/twiki/security.twiki                       |  1 +
 release-log.txt                                          |  1 +
 .../apache/atlas/web/service/SecureEmbeddedServer.java   | 11 +++++++++--
 4 files changed, 17 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/95590d23/client/src/main/java/org/apache/atlas/security/SecurityProperties.java
----------------------------------------------------------------------
diff --git a/client/src/main/java/org/apache/atlas/security/SecurityProperties.java b/client/src/main/java/org/apache/atlas/security/SecurityProperties.java
index 5029e12..b6c8c9b 100644
--- a/client/src/main/java/org/apache/atlas/security/SecurityProperties.java
+++ b/client/src/main/java/org/apache/atlas/security/SecurityProperties.java
@@ -17,6 +17,9 @@
  */
 package org.apache.atlas.security;
 
+import java.util.Arrays;
+import java.util.List;
+
 /**
  *
  */
@@ -33,4 +36,7 @@ public interface SecurityProperties {
     String CERT_STORES_CREDENTIAL_PROVIDER_PATH = "cert.stores.credential.provider.path";
     String SSL_CLIENT_PROPERTIES = "ssl-client.xml";
     String BIND_ADDRESS = "atlas.server.bind.address";
+    String ATLAS_SSL_EXCLUDE_CIPHER_SUITES = "atlas.ssl.exclude.cipher.suites";
+    List<String> DEFAULT_CIPHER_SUITES = Arrays.asList(".*NULL.*", ".*RC4.*", ".*MD5.*",".*DES.*",".*DSS.*");
+    
 }

http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/95590d23/docs/src/site/twiki/security.twiki
----------------------------------------------------------------------
diff --git a/docs/src/site/twiki/security.twiki b/docs/src/site/twiki/security.twiki
index fc61402..d80f5c6 100755
--- a/docs/src/site/twiki/security.twiki
+++ b/docs/src/site/twiki/security.twiki
@@ -17,6 +17,7 @@ Both SSL one-way (server authentication) and two-way (server and client
authenti
    * <code>truststore.file</code> - the path to the truststore file. This file
contains the certificates of other trusted entities (e.g. the certificates for client processes
if two-way SSL is enabled).  In most instances this can be set to the same value as the keystore.file
property (especially if one-way SSL is enabled).
    * <code>client.auth.enabled</code> (false|true) [default: false] - enable/disable
client authentication.  If enabled, the client will have to authenticate to the server during
the transport session key creation process (i.e. two-way SSL is in effect).
    * <code>cert.stores.credential.provider.path</code> - the path to the Credential
Provider store file.  The passwords for the keystore, truststore, and server certificate are
maintained in this secure file.  Utilize the cputil script in the 'bin' directoy (see below)
to populate this file with the passwords required. 
+   * <code>atlas.ssl.exclude.cipher.suites</code> - the excluded Cipher Suites
list -  *NULL.*,.*RC4.*,.*MD5.*,.*DES.*,.*DSS.* are weak and unsafe Cipher Suites that are
excluded by default. If additional Ciphers need to be excluded, set this property with the
default Cipher Suites such as atlas.ssl.exclude.cipher.suites=.*NULL.*, .*RC4.*, .*MD5.*,
.*DES.*, .*DSS.*, and add the additional Ciper Suites to the list with a comma separator.
They can be added with their full name or a regular expression. The Cipher Suites listed in
the atlas.ssl.exclude.cipher.suites property will have precedence over the default Cipher
Suites. One would keep the default Cipher Suites, and add additional ones to be safe. 
 	
 ---++++ Credential Provider Utility Script
 

http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/95590d23/release-log.txt
----------------------------------------------------------------------
diff --git a/release-log.txt b/release-log.txt
index 52391ba..3006aa5 100644
--- a/release-log.txt
+++ b/release-log.txt
@@ -5,6 +5,7 @@ Apache Atlas Release Notes
 INCOMPATIBLE CHANGES:
 ATLAS-409 Atlas will not import avro tables with schema read from a file (dossett@gmail.com
via shwethags)
 ATLAS-379 Create sqoop and falcon metadata addons (venkatnrangan,bvellanki,sowmyaramesh via
shwethags)
+ATLAS-349 SSL - Atlas SSL connection has weak/unsafe Ciphers suites (ndjouhr via shwethags)
 
 ALL CHANGES:
 ATLAS-318 Config file conatining API endpoint + all api calls to be centralized (sanjayp
via sumasai)

http://git-wip-us.apache.org/repos/asf/incubator-atlas/blob/95590d23/webapp/src/main/java/org/apache/atlas/web/service/SecureEmbeddedServer.java
----------------------------------------------------------------------
diff --git a/webapp/src/main/java/org/apache/atlas/web/service/SecureEmbeddedServer.java b/webapp/src/main/java/org/apache/atlas/web/service/SecureEmbeddedServer.java
index 8a3faff..b433e71 100755
--- a/webapp/src/main/java/org/apache/atlas/web/service/SecureEmbeddedServer.java
+++ b/webapp/src/main/java/org/apache/atlas/web/service/SecureEmbeddedServer.java
@@ -35,6 +35,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import java.io.IOException;
+import java.util.List;
 
 import static org.apache.atlas.security.SecurityProperties.CERT_STORES_CREDENTIAL_PROVIDER_PATH;
 import static org.apache.atlas.security.SecurityProperties.CLIENT_AUTH_KEY;
@@ -45,6 +46,8 @@ import static org.apache.atlas.security.SecurityProperties.KEYSTORE_PASSWORD_KEY
 import static org.apache.atlas.security.SecurityProperties.SERVER_CERT_PASSWORD_KEY;
 import static org.apache.atlas.security.SecurityProperties.TRUSTSTORE_FILE_KEY;
 import static org.apache.atlas.security.SecurityProperties.TRUSTSTORE_PASSWORD_KEY;
+import static org.apache.atlas.security.SecurityProperties.ATLAS_SSL_EXCLUDE_CIPHER_SUITES;
+import static org.apache.atlas.security.SecurityProperties.DEFAULT_CIPHER_SUITES;
 
 /**
  * This is a jetty server which requires client auth via certificates.
@@ -62,14 +65,18 @@ public class SecureEmbeddedServer extends EmbeddedServer {
 
         SslContextFactory sslContextFactory = new SslContextFactory();
         sslContextFactory.setKeyStorePath(config.getString(KEYSTORE_FILE_KEY,
-            System.getProperty(KEYSTORE_FILE_KEY, DEFAULT_KEYSTORE_FILE_LOCATION)));
+                System.getProperty(KEYSTORE_FILE_KEY, DEFAULT_KEYSTORE_FILE_LOCATION)));
         sslContextFactory.setKeyStorePassword(getPassword(config, KEYSTORE_PASSWORD_KEY));
         sslContextFactory.setKeyManagerPassword(getPassword(config, SERVER_CERT_PASSWORD_KEY));
         sslContextFactory.setTrustStorePath(config.getString(TRUSTSTORE_FILE_KEY,
-            System.getProperty(TRUSTSTORE_FILE_KEY, DEFATULT_TRUSTORE_FILE_LOCATION)));
+                System.getProperty(TRUSTSTORE_FILE_KEY, DEFATULT_TRUSTORE_FILE_LOCATION)));
         sslContextFactory.setTrustStorePassword(getPassword(config, TRUSTSTORE_PASSWORD_KEY));
         sslContextFactory.setWantClientAuth(config.getBoolean(CLIENT_AUTH_KEY, Boolean.getBoolean(CLIENT_AUTH_KEY)));
 
+        List<Object> cipherList = config.getList(ATLAS_SSL_EXCLUDE_CIPHER_SUITES, DEFAULT_CIPHER_SUITES);
+        sslContextFactory.setExcludeCipherSuites(cipherList.toArray(new String[cipherList.size()]));
+        sslContextFactory.setRenegotiationAllowed(false);
+
         // SSL HTTP Configuration
         // HTTP Configuration
         HttpConfiguration http_config = new HttpConfiguration();


Mime
View raw message