Community Articles

This is applicable for CentOS7/RHEL6 - for CentOS7/RHEL7 please follow https://community.hortonworks.com/articles/188269/javapython-updates-and-ambari-agent-tls-settings.h...

Upgrading to jdk1.8.0_171 version disables some of the TLSv1_1 TLSv1 protocols and algorithms. With this only option is using TLS1_2 version but CentOS6/RHEL6 uses Python 2.6 and it does not support TLS1_2. Agent-server communication would fail with below error.

WARNING 2018-04-24 16:35:10,989 NetUtil.py:124 - Server at https://***.***.***.***:8440 is not reachable, sleeping for 10 seconds...INFO 2018-04-24 16:35:20,990 NetUtil.py:70 - Connecting to https://***.***.***.***:8440/caERROR 2018-04-24 16:35:20,991 NetUtil.py:96 - EOF occurred in violation of protocol (_ssl.c:579)ERROR 2018-04-24 16:35:20,991 NetUtil.py:97 - SSLError: Failed to connect. Please check openssl library versions. 

To workaround this problem you can tweak /usr/jdk64/jdk1.8.0_112/jre/lib/security/java.security file in Ambari server host to enable some of the algorithms.

From:

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
			    EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC

To:

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
			    EC keySize < 224, DES40_CBC, RC4_40

Please note that this is just a temporary workaround and it is recommended to Upgrade the OS version to use TLS1_2