[jira] [Commented] (AMBARI-20583) Allow for larger Ephemeral DH Keys in Ambari server running on JVM versions 1.8 and above

Tue, 28 Mar 2017 10:14:10 -0700 

    [ 
https://issues.apache.org/jira/browse/AMBARI-20583?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15945565#comment-15945565
 ] 

Sandor Magyari commented on AMBARI-20583:
-----------------------------------------

Committed to trunk: 

{code}
commit 165ec700f0f4e5c83a30bb7591df0fa1a8cfec9a
Author: Attila Magyar <[email protected]>
Date:   Tue Mar 28 19:10:40 2017 +0200

    AMBARI-20583. Allow for larger Ephemeral DH Keys in Ambari server running 
on JVM versions 1.8 and above (Attila Magyar via sandor_magyari)
{code}

> Allow for larger Ephemeral DH Keys in Ambari server running on JVM versions 
> 1.8 and above     
> ------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-20583
>                 URL: https://issues.apache.org/jira/browse/AMBARI-20583
>             Project: Ambari
>          Issue Type: Task
>          Components: ambari-server
>    Affects Versions: 2.5.1
>            Reporter: Attila Magyar
>            Assignee: Attila Magyar
>             Fix For: 2.5.1
>
>         Attachments: AMBARI-20583.patch
>
>
> Allow for larger Ephemeral DH Keys in Ambari server running on JVM versions 
> 1.8 and above.
> This can already be done by manually editing the ambari-env.sh file 
> (/var/lib/ambari-server/ambari-env.sh) and adding the following to the 
> AMBARI_JVM_ARGS environment variable:
> -Djdk.tls.ephemeralDHKeySize=2048
> The jdk.tls.ephemeralDHKeySize property is only available in Java VM versions 
> 1.8 and above. However it may not be supported in by all Java vendors. Both 
> Oracle and OpenJDK JVM appear to support it.
> See 
> https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#customizing_dh_keys
>  for more information.
> To help users set this value, Ambari should provide a property in the 
> ambari.properties file. If a supported JVM is in use, Ambari should 
> internally set the System property (before creating the embedded web server) 
> as specified by the user. A possible Ambari property name could be 
> security.server.tls.ephemeral_dh_key_size. If not set, it's default value 
> should be 2048.
> To test the Ephemeral DH key size, the OpenSSL s_client utility may be used 
> to query the Ambari server's HTTPS port(s):
> openssl s_client -connect `hostname -f`:8441 -cipher "EDH"



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to