[jira] [Commented] (AMBARI-14778) Ambari Server CA should use sha265 as default message digest algorthm

Mon, 25 Jan 2016 22:43:50 -0800 

    [ 
https://issues.apache.org/jira/browse/AMBARI-14778?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15116783#comment-15116783
 ] 

Hadoop QA commented on AMBARI-14778:
------------------------------------

{color:red}-1 overall{color}.  Here are the results of testing the latest 
attachment 
  
http://issues.apache.org/jira/secure/attachment/12784289/AMBARI-14778_trunk_01.patch
  against trunk revision .

    {color:green}+1 @author{color}.  The patch does not contain any @author 
tags.

    {color:red}-1 tests included{color}.  The patch doesn't appear to include 
any new or modified tests.
                        Please justify why no new tests are needed for this 
patch.
                        Also please list what manual steps were performed to 
verify this patch.

    {color:green}+1 javac{color}.  The applied patch does not increase the 
total number of javac compiler warnings.

    {color:green}+1 release audit{color}.  The applied patch does not increase 
the total number of release audit warnings.

    {color:green}+1 core tests{color}.  The patch passed unit tests in 
ambari-server.

Test results: 
https://builds.apache.org/job/Ambari-trunk-test-patch/5058//testReport/
Console output: 
https://builds.apache.org/job/Ambari-trunk-test-patch/5058//console

This message is automatically generated.

> Ambari Server CA should use sha265 as default message digest algorthm
> ---------------------------------------------------------------------
>
>                 Key: AMBARI-14778
>                 URL: https://issues.apache.org/jira/browse/AMBARI-14778
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.1.1
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>             Fix For: 2.2.2
>
>         Attachments: AMBARI-14778_branch-2.2_01.patch, 
> AMBARI-14778_trunk_01.patch
>
>
> The Ambari Server (built-in) CA should use {{SHA265}} as default message 
> digest algorithm rather than the no longer trusted {{MD5}} and {{SHA1}} 
> digest algorithms.
> To do this, change the following line (in both the unix and windows version 
> of the file):
> {code:title=ambari-server/conf/unix/ca.config}
> default_md             = md5 
> {code}
> To
> {code:title=ambari-server/conf/unix/ca.config}
> default_md             = sha256
> {code}
> Note: This directly affects 2-way SSL between Ambari server and the agents 
> due to security constraints in newer JVMs, like 
> {noformat}
> openjdk version "1.8.0_71"
> OpenJDK Runtime Environment (build 1.8.0_71-b15)
> OpenJDK 64-Bit Server VM (build 25.71-b15, mixed mode)
> {noformat}
> The following error in the ambari-agent log may indicate that the agent's SSL 
> certificate is signed using MD5:
> {noformat:title=ambari-agent.log}
> ERROR 2016-01-22 17:01:56,982 Controller.py:186 - Unable to connect to: 
> https://c6501.ambari.apache.org:8441/agent/v1/register/c6502.ambari.apache.org
> Traceback (most recent call last):
>   File "/usr/lib/python2.6/site-packages/ambari_agent/Controller.py", line 
> 140, in registerWithServer
>     ret = self.sendRequest(self.registerUrl, data)
>   File "/usr/lib/python2.6/site-packages/ambari_agent/Controller.py", line 
> 413, in sendRequest
>     raise IOError('Request to {0} failed due to {1}'.format(url, 
> str(exception)))
> IOError: Request to 
> https://c6501.ambari.apache.org:8441/agent/v1/register/c6502.ambari.apache.org
>  failed due to [Errno 8] _ssl.c:492: EOF occurred in violation of protocol
> ERROR 2016-01-22 17:01:56,982 Controller.py:187 - Error:Request to 
> https://c6501.ambari.apache.org:8441/agent/v1/register/c6502.ambari.apache.org
>  failed due to [Errno 8] _ssl.c:492: EOF occurred in violation of protocol
> {noformat}
> The following error in the ambari-server log (when logging DEBUG messages) 
> indicates that the agent's SSL certificate is signed using MD5, which is not 
> supported by the underling JVM:
> {noformat:title=ambari-server.log}
> 22 Jan 2016 21:09:43,577 DEBUG [qtp-ambari-agent-50] HttpParser:1049 -
> javax.net.ssl.SSLHandshakeException: General SSLEngine problem
>         at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431)
>         at 
> sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
>         at 
> sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214)
>         at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186)
>         at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
>         at org.eclipse.jetty.io.nio.SslConnection.wrap(SslConnection.java:465)
>         at 
> org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:386)
>         at 
> org.eclipse.jetty.io.nio.SslConnection.access$900(SslConnection.java:48)
>         at 
> org.eclipse.jetty.io.nio.SslConnection$SslEndPoint.fill(SslConnection.java:715)
>         at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1044)
>         at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:280)
>         at 
> org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
>         at 
> org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
>         at 
> org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196)
>         at 
> org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
>         at 
> org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
>         at 
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
>         at 
> org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
>         at java.lang.Thread.run(Thread.java:745)
> Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
>         at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>         at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
>         at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)
>         at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
>         at 
> sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1909)
>         at 
> sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:230)
>         at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
>         at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)
>         at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)
>         at 
> org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:375)
>         ... 12 more
> Caused by: sun.security.validator.ValidatorException: PKIX path validation 
> failed: java.security.cert.CertPathValidatorException: Algorithm constraints 
> check failed: MD5withRSA
>         at 
> sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:352)
>         at 
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:249)
>         at sun.security.validator.Validator.validate(Validator.java:260)
>         at 
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
>         at 
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279)
>         at 
> sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:130)
>         at 
> sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1896)
>         ... 19 more
> Caused by: java.security.cert.CertPathValidatorException: Algorithm 
> constraints check failed: MD5withRSA
>         at 
> sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
>         at 
> sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:219)
>         at 
> sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140)
>         at 
> sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79)
>         at 
> java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
>         at 
> sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:347)
>         ... 25 more
> {noformat}
> *Workaround*
> To work around this, the ambari-agent SSL certificates need to be regenerated 
> using a more secure digest algorithm, like {{SHA256}}.  To do this, first 
> edit the Ambari server {{ca.config}} file at 
> {{/var/lib/ambari-server/keys/ca.config}} to change 
> {code}
> default_md             = md5 
> {code}
> to
> {code}
> default_md             = sha256 
> {code}
> The Ambari server does not need to be restarted.
> Then on each host of the cluster, remove the {{crt}} and {{key}} files from 
> {{/var/lib/ambari-agent/keys/}} and restart the agent. For example:
> {noformat}
> rm /var/lib/ambari-agent/keys/HOSTAME.*
> ambari-agent restart
> {noformat}
> _Replacing HOSTNAME with the name of the relevant host_



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to