You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ambari.apache.org by "Robert Levas (JIRA)" <ji...@apache.org> on 2017/11/10 16:30:00 UTC

[jira] [Created] (AMBARI-22417) Ambari checks fail with FIPS mode is activated on the OS

Robert Levas created AMBARI-22417:
-------------------------------------

             Summary: Ambari checks fail with FIPS mode is activated on the OS
                 Key: AMBARI-22417
                 URL: https://issues.apache.org/jira/browse/AMBARI-22417
             Project: Ambari
          Issue Type: Bug
          Components: ambari-agent, ambari-server
    Affects Versions: 2.5.1
            Reporter: Robert Levas
            Assignee: Robert Levas
            Priority: Critical
             Fix For: 2.6.1


Ambari checks fail with FIPS mode is activated on the OS (Rhel7). FIPS mode disables weak ciphers (such as MD5). 
Ambari code is doing 

{code}
ccache_file_name = _md5("
{0}|{1}".format(principal, keytab)).hexdigest(). MD5 is disabled on the OS (RHEL7) so ambari throws errors.
{code}

- All service checks fail, Ranger KMS start fails via ambari. 
- However all the services are actually running and fine. 

- Also Ranger KMS succesfully started from command Line

Here is the stack trace from Ambari

{code}
service_check
params.kinit_path_local, False, None, params.smoke_user)
File "/usr/lib/python2.6/site-packages/resource_management/libraries/functions/curl_krb_request.py", line 109, in curl_krb_request
ccache_file_name = _md5("{0}
|
{1}
".format(principal, keytab)).hexdigest()
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
{code}

Fix: 
MD5 is disabled on the OS, Code needs to be updated to use SHA?

This is required when FIPS mode is enabled on the RHEL OS




--
This message was sent by Atlassian JIRA
(v6.4.14#64029)