Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Ambari server 2.1.0: How to enable TLSv1.2 for the ports 8440 and 8441?

avatar
New Contributor

Our stringent security policies require using TLSv1.2 for connections supporting SSL/TLS traffic. Since ports 8440 and 8441 use HTTPS, I need to enable TLSv1.2 for both. I couldn't find anything in the documentation suggesting that it's possible to configure the underlying SSL protocol used by secure connections. Is this kind of setup supported by Ambari v2.1.0?

1 ACCEPTED SOLUTION

avatar

To configure the cipher suites used for Ambari server, you can use the following settings in ambari.properties. Even though it is not listed in the example below, you should be able to provide TLSv1 and TLSv1.1 as an option to disable it and allow only TLSv1.2 to be used.

Ambari provides control of ciphers and protocols that are exposed via Ambari Server.
  1. To disable specific ciphers, you can optionally add a list of the following format to ambari.properties. If you specify multiple ciphers, separate each cipher using a vertical bar |. security.server.disabled.ciphers=TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  2. To disable specific protocols, you can optionally add a list of the following format to ambari.properties. If you specify multiple protocols, separate each protocol using a vertical bar |. security.server.disabled.protocols=SSL|SSLv2|SSLv3

See section 3.8 of the Hortonworks Data Platform Ambari Security Guide.

View solution in original post

8 REPLIES 8

avatar

Pablo, you use both ports for TLS traffic? Default HTTPS is 8443, but to change the port, you can refer to this document from v 1.2.5. I am not sure if Ambari is able to open multiple ports for HTTPS simultaneously.

avatar
New Contributor

@Andy LoPresto: It's not that I'm trying to open multiple HTTPS connections. Ports 8440 and 8441 are used by the Ambari server for secure (HTTPS) communication with the agents in the cluster, see here. My question is how to enable TLSv1.2 transport for these two secure connections.

avatar

To configure the cipher suites used for Ambari server, you can use the following settings in ambari.properties. Even though it is not listed in the example below, you should be able to provide TLSv1 and TLSv1.1 as an option to disable it and allow only TLSv1.2 to be used.

Ambari provides control of ciphers and protocols that are exposed via Ambari Server.
  1. To disable specific ciphers, you can optionally add a list of the following format to ambari.properties. If you specify multiple ciphers, separate each cipher using a vertical bar |. security.server.disabled.ciphers=TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  2. To disable specific protocols, you can optionally add a list of the following format to ambari.properties. If you specify multiple protocols, separate each protocol using a vertical bar |. security.server.disabled.protocols=SSL|SSLv2|SSLv3

See section 3.8 of the Hortonworks Data Platform Ambari Security Guide.

avatar
New Contributor

Thanks Andy.

Indeed a setting of the form security.server.disabled.protocols=SSL|SSLv2|SSLv3|TLSv1|TLSv1.1 disables all the unwanted protocols. But this cuts all the communication with the nodes, since for some reason TLSv1.2 isn't active by default and there's no option to enable protocols. So I ended up creating my own Ambari fork, where I explicitly enable TLSv1.2 in the source code. Then, disabling the SSL family and the old TLS protocols leaves only TLSv1.2 as intended.

Problem solved.

avatar

Thanks Pablo. I'm not an Ambari expert so I didn't realize TLS v1.2 was not enabled by default. I checked the Ambari issue tracker and they don't seem to have an issue for this yet, so I'm sure they would appreciate you submitting a ticket and including your patch.

avatar

avatar

Any reason why Ambari still enables SSLv2 and SSLv3 by default? Those were considered insecure 7+ years ago. Since Feb 2014, all modern browsers have supported TLSv1.2.

avatar

@Pablo Pedemonte Sorry, I misunderstood your question. I've added an answer below.