You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by "Greg Hill (JIRA)" <ji...@apache.org> on 2016/01/25 18:14:40 UTC
[jira] [Commented] (AMBARI-14778) Ambari Server CA should use
sha265 as default message digest algorthm
[ https://issues.apache.org/jira/browse/AMBARI-14778?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15115570#comment-15115570 ]
Greg Hill commented on AMBARI-14778:
------------------------------------
I have tested using sha256 with the latest openjdk and everything seems to work fine. Are there any concerns that sha256 won't be supported by some supported OS or can we just patch those 2 ca.config files and call it a day?
> Ambari Server CA should use sha265 as default message digest algorthm
> ---------------------------------------------------------------------
>
> Key: AMBARI-14778
> URL: https://issues.apache.org/jira/browse/AMBARI-14778
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server
> Affects Versions: 2.1.1
> Reporter: Robert Levas
> Assignee: Robert Levas
> Fix For: 2.2.2
>
>
> The Ambari Server (built-in) CA should use {{SHA265}} as default message digest algorithm rather than the no longer trusted {{MD5}} and {{SHA1}} digest algorithms.
> To do this, change the following line (in both the unix and windows version of the file):
> {code:title=ambari-server/conf/unix/ca.config}
> default_md = md5
> {code}
> To
> {code:title=ambari-server/conf/unix/ca.config}
> default_md = sha256
> {code}
> Note: This directly affects 2-way SSL between Ambari server and the agents due to security constraints in newer JVMs, like
> {noformat}
> openjdk version "1.8.0_71"
> OpenJDK Runtime Environment (build 1.8.0_71-b15)
> OpenJDK 64-Bit Server VM (build 25.71-b15, mixed mode)
> {noformat}
> The following error in the ambari-agent log may indicate that the agent's SSL certificate is signed using MD5:
> {noformat:title=ambari-agent.log}
> ERROR 2016-01-22 17:01:56,982 Controller.py:186 - Unable to connect to: https://c6501.ambari.apache.org:8441/agent/v1/register/c6502.ambari.apache.org
> Traceback (most recent call last):
> File "/usr/lib/python2.6/site-packages/ambari_agent/Controller.py", line 140, in registerWithServer
> ret = self.sendRequest(self.registerUrl, data)
> File "/usr/lib/python2.6/site-packages/ambari_agent/Controller.py", line 413, in sendRequest
> raise IOError('Request to {0} failed due to {1}'.format(url, str(exception)))
> IOError: Request to https://c6501.ambari.apache.org:8441/agent/v1/register/c6502.ambari.apache.org failed due to [Errno 8] _ssl.c:492: EOF occurred in violation of protocol
> ERROR 2016-01-22 17:01:56,982 Controller.py:187 - Error:Request to https://c6501.ambari.apache.org:8441/agent/v1/register/c6502.ambari.apache.org failed due to [Errno 8] _ssl.c:492: EOF occurred in violation of protocol
> {noformat}
> The following error in the ambari-server log (when logging DEBUG messages) indicates that the agent's SSL certificate is signed using MD5, which is not supported by the underling JVM:
> {noformat:title=ambari-server.log}
> 22 Jan 2016 21:09:43,577 DEBUG [qtp-ambari-agent-50] HttpParser:1049 -
> javax.net.ssl.SSLHandshakeException: General SSLEngine problem
> at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431)
> at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
> at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214)
> at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186)
> at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
> at org.eclipse.jetty.io.nio.SslConnection.wrap(SslConnection.java:465)
> at org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:386)
> at org.eclipse.jetty.io.nio.SslConnection.access$900(SslConnection.java:48)
> at org.eclipse.jetty.io.nio.SslConnection$SslEndPoint.fill(SslConnection.java:715)
> at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1044)
> at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:280)
> at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
> at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
> at org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196)
> at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
> at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
> at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
> at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
> at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1909)
> at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:230)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
> at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)
> at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)
> at java.security.AccessController.doPrivileged(Native Method)
> at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)
> at org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:375)
> ... 12 more
> Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed: MD5withRSA
> at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:352)
> at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:249)
> at sun.security.validator.Validator.validate(Validator.java:260)
> at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279)
> at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:130)
> at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1896)
> ... 19 more
> Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed: MD5withRSA
> at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
> at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:219)
> at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140)
> at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79)
> at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
> at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:347)
> ... 25 more
> {noformat}
> *Workaround*
> To work around this, the ambari-agent SSL certificates need to be regenerated using a more secure digest algorithm, like {{SHA256}}. To do this, first edit the Ambari server {{ca.config}} file at {{/var/lib/ambari-server/keys/ca.config}} to change
> {code}
> default_md = md5
> {code}
> to
> {code}
> default_md = sha256
> {code}
> The Ambari server does not need to be restarted.
> Then on each host of the cluster, remove the {{crt}} and {{key}} files from {{/var/lib/ambari-agent/keys/}} and restart the agent. For example:
> {noformat}
> rm /var/lib/ambari-agent/keys/HOSTAME.*
> ambari-agent restart
> {noformat}
> _Replacing HOSTNAME with the name of the relevant host_
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)