Created 12-11-2015 07:03 PM
Our stringent security policies require using TLSv1.2 for connections supporting SSL/TLS traffic. Since ports 8440 and 8441 use HTTPS, I need to enable TLSv1.2 for both. I couldn't find anything in the documentation suggesting that it's possible to configure the underlying SSL protocol used by secure connections. Is this kind of setup supported by Ambari v2.1.0?
Created 12-14-2015 06:36 PM
To configure the cipher suites used for Ambari server, you can use the following settings in
ambari.properties
. Even though it is not listed in the example below, you should be able to provide TLSv1
and TLSv1.1
as an option to disable it and allow only TLSv1.2
to be used.
Ambari provides control of ciphers and protocols that are exposed via Ambari Server.
- To disable specific ciphers, you can optionally add a list of the following format to ambari.properties. If you specify multiple ciphers, separate each cipher using a vertical bar |.
security.server.disabled.ciphers=TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- To disable specific protocols, you can optionally add a list of the following format to ambari.properties. If you specify multiple protocols, separate each protocol using a vertical bar |.
security.server.disabled.protocols=SSL|SSLv2|SSLv3
See section 3.8 of the Hortonworks Data Platform Ambari Security Guide.
Created 12-12-2015 10:46 PM
Pablo, you use both ports for TLS traffic? Default HTTPS is 8443, but to change the port, you can refer to this document from v 1.2.5. I am not sure if Ambari is able to open multiple ports for HTTPS simultaneously.
Created 12-14-2015 12:31 PM
@Andy LoPresto: It's not that I'm trying to open multiple HTTPS connections. Ports 8440 and 8441 are used by the Ambari server for secure (HTTPS) communication with the agents in the cluster, see here. My question is how to enable TLSv1.2 transport for these two secure connections.
Created 12-14-2015 06:36 PM
To configure the cipher suites used for Ambari server, you can use the following settings in
ambari.properties
. Even though it is not listed in the example below, you should be able to provide TLSv1
and TLSv1.1
as an option to disable it and allow only TLSv1.2
to be used.
Ambari provides control of ciphers and protocols that are exposed via Ambari Server.
- To disable specific ciphers, you can optionally add a list of the following format to ambari.properties. If you specify multiple ciphers, separate each cipher using a vertical bar |.
security.server.disabled.ciphers=TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- To disable specific protocols, you can optionally add a list of the following format to ambari.properties. If you specify multiple protocols, separate each protocol using a vertical bar |.
security.server.disabled.protocols=SSL|SSLv2|SSLv3
See section 3.8 of the Hortonworks Data Platform Ambari Security Guide.
Created 12-17-2015 02:38 PM
Thanks Andy.
Indeed a setting of the form security.server.disabled.protocols=SSL|SSLv2|SSLv3|TLSv1|TLSv1.1
disables all the unwanted protocols. But this cuts all the communication with the nodes, since for some reason TLSv1.2
isn't active by default and there's no option to enable protocols. So I ended up creating my own Ambari fork, where I explicitly enable TLSv1.2
in the source code. Then, disabling the SSL
family and the old TLS
protocols leaves only TLSv1.2
as intended.
Problem solved.
Created 12-17-2015 05:22 PM
Thanks Pablo. I'm not an Ambari expert so I didn't realize TLS v1.2 was not enabled by default. I checked the Ambari issue tracker and they don't seem to have an issue for this yet, so I'm sure they would appreciate you submitting a ticket and including your patch.
Created 03-22-2017 10:16 PM
@Pablo Pedemonte @Andy LoPresto this was addressed in Ambari 2.4.2 per https://issues.apache.org/jira/browse/AMBARI-18910
Created 03-22-2017 10:31 PM
Any reason why Ambari still enables SSLv2 and SSLv3 by default? Those were considered insecure 7+ years ago. Since Feb 2014, all modern browsers have supported TLSv1.2.
Created 12-14-2015 06:37 PM
@Pablo Pedemonte Sorry, I misunderstood your question. I've added an answer below.