Support Questions
Find answers, ask questions, and share your expertise

Unable to disable ciphers for Ambari - Possible bug?

Unable to disable ciphers for Ambari - Possible bug?

Hi guys,

- Ambari 2.5.X, RHEL7

I'm attempting to disable the cipher: RSA_WITH_3DES_EDE_CBC_SHA

I have added it to the ambari.properties file as both:

RSA_WITH_3DES_EDE_CBC_SHA

and

TLS_RSA_WITH_3DES_EDE_CBC_SHA

(They are separated by the '|' symbol)

Although every time I run TestSSLServer2 on Ambari port..the ciphers show up. I have also added these ciphers to the servers java.security file with no luck.

Am I missing something?

3 REPLIES 3

Re: Unable to disable ciphers for Ambari - Possible bug?

@L V

In general to disable certain ciphers for Ambari UI, do the following:

1. Locate the strings for the ciphers you wish to disable in the following list:
http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html
2. Edit the ambari.properties file and add them as follows, separating the cipher strings with vertical pipes:
security.server.disabled.ciphers=CIPHER1|CIPHER2
3. Restart Ambari server
4. Rescan and verify the results

Also, the ciphers TLS_RSA_WITH_3DES_EDE_CBC_SHA disabled with SSL_RSA_WITH_3DES_EDE_CBC_SHA breaks Ambari Metrics and Firefox access to the Ambari UI, so it is best not to disable "TLS_RSA_WITH_3DES_EDE_CBC_SHA".

Re: Unable to disable ciphers for Ambari - Possible bug?

Hi @Sindhu,

The cipher I want to disable (RSA_WITH_3DES_EDE_CBC_SHA) falls under the TLSv1.2 cipher suite.

Is RSA_WITH_3DES_EDE_CBC_SHA and SSL_RSA_WITH_3DES_EDE_CBC_SHA the same cipher?

Re: Unable to disable ciphers for Ambari - Possible bug?

@L V

Seems like there are one and the same. Refer below link for list of ciphers:

http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html