Support Questions

Find answers, ask questions, and share your expertise
Announcements
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

Disabling TLSv1 & TLS1.1 - Enabling TLSv1.2

Hi guys,

A few cipher suites have been flagged as vulnerabilities, I have proceeded to disable them in the ambari.properties config file although the result is a cluster with cut communications.

I have found this link where a member mentions he edited the source code and it was successful.

https://community.hortonworks.com/questions/6093/ambari-server-210-how-to-enable-tlsv12-for-the-por....

I need to disable TLSv1 and TLS1.1 and ENABLE TLSv1.2

Am I able to edit the source code after the software has been installed or does this need to be done before the install?

Also..I can't seem to locate where any of the source code for Ambari is..If someone could point me in the right direction ti would be greatly appreciated.

17 REPLIES 17

Guru

Hello @L V,

To disable TLSv1 & TLS1.1 and enabled TLSv1.2, you don't need to change any source code in Ambari. You can simply change the Ambari server configuration file: ambari.properties. I believe, you did the same.

The reason behind losing cluster communication would be Ambari 2.4.x bug where Ambari agents were not able to connect to Ambari server over TLSv1.2. This is fixed in Ambari 2.5.x. Please use this Ambari version and see if you can get TLSv1.2 working.

To reiterate, the required Ambari configuration change would be:

To disable specific protocols, you can optionally add a list of the following format to ambari.properties. If you specify multiple protocols, separate each protocol using a vertical bar |.
security.server.disabled.protocols=SSL|SSLv2|SSLv3

Hope this helps !

New Contributor

Hey @Vipin Rathor


I'm running Ambari 2.7.X on my cluster and I want to disable all protocols but TLSv1.2

Following you suggestion, I've added the following to ambari.properties: security.server.disabled.protocols=SSL|SSLv2|SSLv3|TLSv1.0|TLSv1.1.

Yet, after restarting the server and running a SSL scanner tool, it still marks both TLSv1.0 and TLSv1.1 valid.

Could you please help?


Thanks,

Tomer

Hi @Vipin Rathor,

Apologies, I should have mentioned that I am using version 2.5.x

Kind regards,

Guru

Oh, then we should look into what happened to Ambari server - agent communication over TLSv1.2. Please have a look at this

https://issues.apache.org/jira/browse/AMBARI-18910 and https://issues.apache.org/jira/browse/AMBARI-20831

As per them, the changes should be there in Ambari 2.5.x. Once TLSv1.2 is enabled on Ambari server, please verify the same via openssl CLI like this:

openssl s_client -connect localhost:8440 -tls1_2

Regards.

Guru

Attn @L V

Hi @Vipin Rathor

Apologies for the delay, I had a look at the two above links regarding the patches. Is there a special procedure to apply those patches or am I supposed to manually edit the source code? If that is the case I was unable to find the '/AmbariServer.java' file.

Kind regards,

LV

Guru

Hello @L V

Since you are already on Ambari v2.5.x, you do not need to edit source code. Please put Ambari server in TLSv1.2 only and then run openssl command to check. Please do share the output with us. Thanks.

Hi @Vipin Rathor,

I got the following result:

CONNECTED(00000003)
verify error:num=21:unable to verify the first certificate
verify return:1
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2518 bytes and written 433 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated


Guru

Hello @L V,

The latest openssl output shows that your Ambari Server is actually working on TLSv1.2. Now please check in Ambari agent log if there is any error while it is trying to connect to Ambari server.

Thanks.

Hi @Vipin Rathor

I looked up the bug as suggested below, although it's restricted for internal development.

For the record I have the following version of OpenSSL installed: 1.0.1e-fips

INFO 2017-08-29 17:09:51,722 security.py:93 - SSL Connect being called.. connecting to the server
ERROR 2017-08-29 17:09:51,725 Controller.py:456 - Unable to reconnect to https://xxx.xxx.xxx.xxx:8441/agent/v1/heartbeat/xxx.xxx.xxx.xxx (attempts=6, details=Request to https://xxx.xxx.xxx.xxx:8441/agent/v1/heartbeat/xxx.xxx.xxx.xxx failed due to EOF occurred in violation of protocol (_ssl.c:579))
INFO 2017-08-29 17:10:13,747 Controller.py:471 - Waiting 0.9 for next heartbeat
INFO 2017-08-29 17:10:14,648 Controller.py:478 - Wait for next heartbeat over
INFO 2017-08-29 17:10:14,651 NetUtil.py:70 - Connecting to https://xxx.xxx.xxx.xxx:8440/connection_info
ERROR 2017-08-29 17:10:14,657 NetUtil.py:96 - EOF occurred in violation of protocol (_ssl.c:579)
ERROR 2017-08-29 17:10:14,657 NetUtil.py:97 - SSLError: Failed to connect. Please check openssl library versions.
Refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1022468 for more details.

Guru

Hello @L V,

Please make sure that Ambar Server is started with Oracle JDK and not any other JDK. Second, please make sure that all the Ambari agents are using Python 2.6 to start (this can be seen during Agent restart command). There have been some known issues around this which were fixed by using right JDK and right Python library.

Hope this helps !

Hi @Vipin Rathor

I can confirm that Ambari Server is starting with Java Oracle:

- Java(TM) SE Runtime Environment (build 1.8.0_131-b11)

- Java HotSpot(TM) 64-Bit Server VM (build 25.131-b11, mixed mode)

Ambari agent on the other hand is using Python 2.7.X.

My OS is RHEL7, considering it is very similar to Centos 7..Hortonworks recommends v2.7
https://docs.hortonworks.com/HDPDocuments/Ambari-2.2.1.1/bk_Installing_HDP_AMB/content/_software_req...

So should I downgrade or is the problem elsewhere?

Kind regards,

@Vipin Rathor

Turns out you need to explicitly force it in the /etc/amabri-agent/conf/ambari-agent.ini file.

Example:

[security]

force_https_protocol=PROTOCOL_TLSv1_2

https://community.hortonworks.com/questions/114808/ambari-agents-cannot-reach-ambari-server-after-ch...

Explorer

@Vipin Rathor I am facing the same issue of agents losing heartbeat, even though the version of ambari being used here is 2.5.0.

Please suggest.

Guru

@Neha Nirmal Have you tried using "force_https_protocol=PROTOCOL_TLSv1_2" in ambari-agent.ini?

Explorer

@Vipin Rathor

Yes, Added this property on one of the server that had agent file. Still it was also not able to communicate with the ambari-server.

I am also facing the same issue after updating "force_https_protocol=PROTOCOL_TLSv1_2" in ambari-agent.ini.

Agents are not communicating with server.

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.