https://community.cloudera.com/t5/Archives-of-Support-Questions/Ambari-server-2-1-0-How-to-enable-TLSv1-2-for-the-ports-8440/m-p/98909#M12151 <P><A href="https://community.hortonworks.com/questions/6093/ambari-server-210-how-to-enable-tlsv12-for-the-por.html#">@Andy LoPresto</A>: It's not that I'm trying to open multiple HTTPS connections. Ports 8440 and 8441 are used by the Ambari server for secure (HTTPS) communication with the agents in the cluster, see <A href="https://ambari.apache.org/1.2.5/installing-hadoop-using-ambari/content/reference_chap2_7.html">here</A>. My question is how to enable TLSv1.2 transport for these two secure connections.</P> Mon, 14 Dec 2015 20:31:15 GMT ppedemonte 2015-12-14T20:31:15Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Ambari-server-2-1-0-How-to-enable-TLSv1-2-for-the-ports-8440/m-p/98907#M12149 <P>Our stringent security policies require using TLSv1.2 for connections supporting SSL/TLS traffic. Since ports 8440 and 8441 use HTTPS, I need to enable TLSv1.2 for both. I couldn't find anything in the documentation suggesting that it's possible to configure the underlying SSL protocol used by secure connections. Is this kind of setup supported by Ambari v2.1.0?</P> Sat, 12 Dec 2015 03:03:34 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Ambari-server-2-1-0-How-to-enable-TLSv1-2-for-the-ports-8440/m-p/98907#M12149 ppedemonte 2015-12-12T03:03:34Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Ambari-server-2-1-0-How-to-enable-TLSv1-2-for-the-ports-8440/m-p/98908#M12150 <P>Pablo, you use both ports for TLS traffic? Default HTTPS is 8443, but to change the port, you can refer to <A target="_blank" href="https://ambari.apache.org/1.2.5/installing-hadoop-using-ambari/content/ambari-chap2-2a.html">this document</A> from v 1.2.5. I am not sure if Ambari is able to open multiple ports for HTTPS simultaneously. </P> Sun, 13 Dec 2015 06:46:56 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Ambari-server-2-1-0-How-to-enable-TLSv1-2-for-the-ports-8440/m-p/98908#M12150 alopresto 2015-12-13T06:46:56Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Ambari-server-2-1-0-How-to-enable-TLSv1-2-for-the-ports-8440/m-p/98909#M12151 <P><A href="https://community.hortonworks.com/questions/6093/ambari-server-210-how-to-enable-tlsv12-for-the-por.html#">@Andy LoPresto</A>: It's not that I'm trying to open multiple HTTPS connections. Ports 8440 and 8441 are used by the Ambari server for secure (HTTPS) communication with the agents in the cluster, see <A href="https://ambari.apache.org/1.2.5/installing-hadoop-using-ambari/content/reference_chap2_7.html">here</A>. My question is how to enable TLSv1.2 transport for these two secure connections.</P> Mon, 14 Dec 2015 20:31:15 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Ambari-server-2-1-0-How-to-enable-TLSv1-2-for-the-ports-8440/m-p/98909#M12151 ppedemonte 2015-12-14T20:31:15Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Ambari-server-2-1-0-How-to-enable-TLSv1-2-for-the-ports-8440/m-p/98910#M12152 <P> To configure the cipher suites used for Ambari server, you can use the following settings in <CODE>ambari.properties</CODE>. Even though it is not listed in the example below, you should be able to provide <CODE>TLSv1</CODE> and <CODE>TLSv1.1</CODE> as an option to disable it and allow only <CODE>TLSv1.2</CODE> to be used. </P> <BLOCKQUOTE> Ambari provides control of ciphers and protocols that are exposed via Ambari Server. <OL> <LI>To disable specific ciphers, you can optionally add a list of the following format to ambari.properties. If you specify multiple ciphers, separate each cipher using a vertical bar |. <CODE>security.server.disabled.ciphers=TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</CODE></LI> <LI>To disable specific protocols, you can optionally add a list of the following format to ambari.properties. If you specify multiple protocols, separate each protocol using a vertical bar |. <CODE>security.server.disabled.protocols=SSL|SSLv2|SSLv3</CODE></LI> </OL> </BLOCKQUOTE> <P> See section 3.8 of the <A target="_blank" href="http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.0.0/bk_Ambari_Security_Guide/bk_Ambari_Security_Guide-20150721.pdf">Hortonworks Data Platform Ambari Security Guide. </A> </P> Tue, 15 Dec 2015 02:36:33 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Ambari-server-2-1-0-How-to-enable-TLSv1-2-for-the-ports-8440/m-p/98910#M12152 alopresto 2015-12-15T02:36:33Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Ambari-server-2-1-0-How-to-enable-TLSv1-2-for-the-ports-8440/m-p/98911#M12153 <P><A rel="user" href="https://community.cloudera.com/users/1306/ppedemonte.html" nodeid="1306">@Pablo Pedemonte</A> Sorry, I misunderstood your question. I've added an answer below. </P> Tue, 15 Dec 2015 02:37:09 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Ambari-server-2-1-0-How-to-enable-TLSv1-2-for-the-ports-8440/m-p/98911#M12153 alopresto 2015-12-15T02:37:09Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Ambari-server-2-1-0-How-to-enable-TLSv1-2-for-the-ports-8440/m-p/98912#M12154 <P> Thanks Andy.</P><P> Indeed a setting of the form <CODE>security.server.disabled.protocols=SSL|SSLv2|SSLv3|TLSv1|TLSv1.1</CODE> disables all the unwanted protocols. But this cuts all the communication with the nodes, since for some reason <CODE>TLSv1.2</CODE> isn't active by default and there's no option to enable protocols. So I ended up creating my own Ambari fork, where I explicitly enable <CODE>TLSv1.2</CODE> in the source code. Then, disabling the <CODE>SSL</CODE> family and the old <CODE>TLS</CODE> protocols leaves only <CODE>TLSv1.2</CODE> as intended.</P><P>Problem solved.</P> Thu, 17 Dec 2015 22:38:30 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Ambari-server-2-1-0-How-to-enable-TLSv1-2-for-the-ports-8440/m-p/98912#M12154 ppedemonte 2015-12-17T22:38:30Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Ambari-server-2-1-0-How-to-enable-TLSv1-2-for-the-ports-8440/m-p/98913#M12155 <P>Thanks Pablo. I'm not an Ambari expert so I didn't realize TLS v1.2 was not enabled by default. I checked the Ambari issue tracker and they don't seem to have an issue for this yet, so I'm sure they would appreciate you <A target="_blank" href="https://issues.apache.org/jira/browse/AMBARI/?selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel">submitting a ticket</A> and including your patch.</P> Fri, 18 Dec 2015 01:22:04 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Ambari-server-2-1-0-How-to-enable-TLSv1-2-for-the-ports-8440/m-p/98913#M12155 alopresto 2015-12-18T01:22:04Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Ambari-server-2-1-0-How-to-enable-TLSv1-2-for-the-ports-8440/m-p/98914#M12156 <P><A rel="user" href="https://community.cloudera.com/users/1306/ppedemonte.html" nodeid="1306">@Pablo Pedemonte</A> <A rel="user" href="https://community.cloudera.com/users/595/alopresto.html" nodeid="595">@Andy LoPresto</A> this was addressed in Ambari 2.4.2 per <A href="https://issues.apache.org/jira/browse/AMBARI-18910" target="_blank">https://issues.apache.org/jira/browse/AMBARI-18910</A></P> Thu, 23 Mar 2017 05:16:30 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Ambari-server-2-1-0-How-to-enable-TLSv1-2-for-the-ports-8440/m-p/98914#M12156 slachterman 2017-03-23T05:16:30Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Ambari-server-2-1-0-How-to-enable-TLSv1-2-for-the-ports-8440/m-p/98915#M12157 <P>Any reason why Ambari still enables SSLv2 and SSLv3 by default? Those were considered insecure 7+ years ago. Since Feb 2014, all modern browsers have supported TLSv1.2. </P> Thu, 23 Mar 2017 05:31:35 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Ambari-server-2-1-0-How-to-enable-TLSv1-2-for-the-ports-8440/m-p/98915#M12157 alopresto 2017-03-23T05:31:35Z