Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Keystore password in clear in /etc/default/cloudera-scm-server

Labels:
avatar
author-rank hamed2005
Explorer

Created ‎01-24-2018 08:58 AM

I successfully configured LDAPS authentication for Cloudera Manager by following the documentation (https://www.cloudera.com/documentation/enterprise/latest/topics/cm_sg_external_auth.html)

 

The certificate for the LDAP server is stored in a custom JKS file (protected by password) and based on the documentation, the path and password to that JKS file, could be provided in the /etc/default/cloudera-scm-server config file, as:

export CMF_JAVA_OPTS="-Xmx2G -XX:MaxPermSize=256m -XX:+HeapDumpOnOutOfMemoryError / -XX:HeapDumpPath=/tmp -Djavax.net.ssl.trustStore=/usr/java/default/jre/lib/security/jssecacerts / -Djavax.net.ssl.trustStorePassword=changeit"

Everything works fine, however, the password is in clear text and the file is world readable.

 

-Is there a standard way to obfuscate/encrypt the password in the config file?
-Is it ok to set the permissions to 640?

7,982 Views
0 Kudos
7 REPLIES 7

avatar
author-rank bgooley author-rank
Master Guru

Created ‎01-24-2018 09:09 AM

@hamed2005,

 

The password should not be necessary since the keystore is only being used as a trust store (needing only read access).  Cloudera Manager would only need to read from the file.

 

Try removing -Djavax.net.ssl.trustStorePassword=changeit and then restart Cloudera Manager.   If that works fine for you, I'll work with the Cloudera documentation team to get our documentation updated to remove the password.

 

-Ben

 

 

7,978 Views

avatar
author-rank hamed2005
Explorer

Created on ‎01-25-2018 12:49 AM - edited ‎01-25-2018 01:14 AM

Hi @bgooley

 

Thanks for your reply.

 

The password is necessary to avoid malicious users to modify the truststore's contents (e.g. adding new certificates) and also is needed to check the integrity of the store's contents.

 

 

Removing the -Djavax.net.ssl.trustStorePassword=changeit causes the following exception:

 

Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)
        at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
        at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
        at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
        at java.security.KeyStore.load(KeyStore.java:1445)
        at com.mysql.jdbc.ExportControlled.getSSLSocketFactoryDefaultOrConfigured(ExportControlled.java:428)
        ... 23 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)
        ... 28 more

 

 -Hamed

7,946 Views
0 Kudos

avatar
author-rank bgooley author-rank
Master Guru

Created ‎01-24-2018 09:12 AM

Also, for permissions, the file needs to be readable by any users accessing it.

It is not a sensitive file since it does not contain private key material.  The role of the "trust store" is to allow clients to be able to define server certificates as "trusted" so the intent of the jssecacerts file is to only contain certificates of certificate authorities that are trusted.

7,977 Views
0 Kudos

avatar
author-rank hamed2005
Explorer

Created on ‎01-25-2018 01:12 AM - edited ‎01-25-2018 01:14 AM

@bgooley
Regarding permissions, I meant the permissions for the /etc/default/cloudera-scm-server and not the JKS truststore file.

 

-Hamed

7,944 Views
0 Kudos

avatar
author-rank bgooley author-rank
Master Guru

Created ‎01-31-2018 01:52 PM

@hamed2005,

 

The password on the file does not matter for read operations.  My point was that Cloudera Manager does not need to know the password of the truststore to access what it needs.

 

I tested on CM 5.13.1 with the following in /etc/default/cloudera-scm-server and was able to auth to LDAPS fine:

 

export CMF_JAVA_OPTS="-Xmx2G -XX:MaxPermSize=256m -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/tmp -Djavax.net.ssl.trustStore=/usr/java/jdk1.8.0_60/jre/lib/security/jssecacerts"

 

What does your "export" line look like?

 

 

7,900 Views
0 Kudos

avatar
author-rank hamed2005
Explorer

Created ‎02-01-2018 01:20 AM

@bgooley,
Thanks for your reply.

This setting causes the error I mentioned:

export CMF_JAVA_OPTS="-Xmx2G -XX:MaxPermSize=256m -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/tmp -Djavax.net.ssl.trustStore=/opt/cloudera/security/pki/truststore.jks"

 

And this works:

export CMF_JAVA_OPTS="-Xmx2G -XX:MaxPermSize=256m -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/tmp -Djavax.net.ssl.trustStore=/opt/cloudera/security/pki/truststore.jks -Djavax.net.ssl.trustStorePassword=<PASSWORD REMOVED>"

 

7,890 Views
0 Kudos

avatar
author-rank bgooley author-rank
Master Guru

Created ‎02-01-2018 11:30 AM

@hamed2005,

 

I looked more closely at the exception and now think I understand...

 

com.mysql.jdbc.ExportControlled.getSSLSocketFactoryDefaultOrConfigured(ExportControlled.java:428)

 

It seems that the MySQL JDBC driver may require a password.  I was testing in an environment where I wasn't using TLS for my db connection, so it didn't matter.

 

Not sure how to get around this... I'll let you know if I come up with something

 

7,880 Views
Announcements
What's New @ Cloudera
Cloudera DataFlow 2.9 now supports building GenAI pipelines ...
What's New @ Cloudera
Accelerate Data Scientist Productivity with Cloudera Copilot...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
Community Announcements
October 2024 Community Highlights
What's New @ Cloudera
Accelerate Your AI with the Cloudera AI Inference Service wi...
View More Announcements