備考:https://issues.apache.org/jira/browse/AMBARI-18910 のためAmbari2.4.2以前のバージョンではできないと思われる。
1)まずAmbariのSSLを有効にする
http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.3/bk_security/content/set_up_ssl_for_ambari.html
http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.3/bk_security/content/_set_up_truststore_for_ambari_server.html
設定用のスクリプトをダウンロード
[root@sandbox ~]# curl https://raw.githubusercontent.com/hajimeo/samples/master/bash/start_hdp.sh -O
[root@sandbox ~]# source ./start_hdp.sh
証明書を作成
[root@sandbox ~]# cd /etc/ambari-server/conf
[root@sandbox conf]# f_ssl_self_signed_cert "/C=AU/ST=QLD/O=Hortonworks/CN=sandbox.hortonworks.com" "server"
[root@sandbox conf]# ambari-server setup-security
Using python /usr/bin/python
Security setup options...
===========================================================================
Choose one of the following options:
[1] Enable HTTPS for Ambari server.
[2] Encrypt passwords stored in ambari.properties file.
[3] Setup Ambari kerberos JAAS configuration.
[4] Setup truststore.
[5] Import certificate to truststore.
===========================================================================
Enter choice, (1-5): 1
Do you want to configure HTTPS [y/n] (y)?
SSL port [8443] ? 8080 # NOTE: Sandboxの場合はKnoxとポートがかぶるので注意
Enter path to Certificate: /etc/ambari-server/conf/srever.crt
Enter path to Private Key: /etc/ambari-server/conf/srever.key
Please enter password for Private Key:
WARNING: Common Name in Certificate: sandbox.hortonworks.com does not match the server FQDN: ho-ubu03.openstacklocal
WARNING: Unable to validate Certificate hostname
Importing and saving Certificate...done.
Ambari server URL changed. To make use of the Tez View in Ambari please update the property tez.tez-ui.history-url.base in tez-site
Adjusting ambari-server permissions and ownership...
[root@sandbox conf]# ambari-server setup-security
Using python /usr/bin/python
Security setup options...
===========================================================================
Choose one of the following options:
[1] Enable HTTPS for Ambari server.
[2] Encrypt passwords stored in ambari.properties file.
[3] Setup Ambari kerberos JAAS configuration.
[4] Setup truststore.
[5] Import certificate to truststore.
===========================================================================
Enter choice, (1-5): 4
Do you want to configure a truststore [y/n] (y)?
TrustStore type [jks/jceks/pkcs12] (jks):jks
Path to TrustStore file :/etc/ambari-server/conf/ambari-srever.jks
Password for TrustStore: (changeit)
Re-enter password: (changeit)
Ambari Server 'setup-security' completed successfully.
[root@sandbox conf]# keytool -import -file ./server.crt -alias ambari-server -noprompt -storepass changeit -keypass hadoop -keystore /etc/ambari-server/conf/ambari-srever.jks
[root@sandbox conf]# ambari-server restart
2)ambari.propertiesを編集して、またrestart
security.server.disabled.protocols=TLSv1.1|SSLv2Hello|SSLv3
https://issues.apache.org/jira/browse/AMBARI-17666 のため、TLSv1はdisableしない
TODO: security.server.disabled.ciphersは?
3)確認する:
root@ho-ubu03:~# ./test_ciphers.sh sandbox.hortonworks.com 8080 2>/dev/null
Obtaining cipher list from sandbox.hortonworks.com:8080 with OpenSSL 1.0.1f 6 Jan 2014.
ECDHE-RSA-AES256-GCM-SHA384 YES
ECDHE-RSA-AES256-SHA384 YES
ECDHE-RSA-AES256-SHA YES
DHE-RSA-AES256-GCM-SHA384 YES
DHE-RSA-AES256-SHA256 YES
DHE-RSA-AES256-SHA YES
AES256-GCM-SHA384 YES
AES256-SHA256 YES
AES256-SHA YES
ECDHE-RSA-DES-CBC3-SHA YES
EDH-RSA-DES-CBC3-SHA YES
DES-CBC3-SHA YES
ECDHE-RSA-AES128-GCM-SHA256 YES
ECDHE-RSA-AES128-SHA256 YES
ECDHE-RSA-AES128-SHA YES
DHE-RSA-AES128-GCM-SHA256 YES
DHE-RSA-AES128-SHA256 YES
DHE-RSA-AES128-SHA YES
AES128-GCM-SHA256 YES
AES128-SHA256 YES
AES128-SHA YES
root@ho-ubu03:~# echo -n | openssl s_client -connect sandbox.hortonworks.com:8080 -tls1_2
参考1:設定可能な値
factory.setIncludeProtocols(new String[] {"SSLv2Hello","SSLv3","TLSv1","TLSv1.1","TLSv1.2"});
参考2:TLSv1.2のCipherリストを表示には
[root@sandbox ~]# openssl ciphers -v | grep TLSv1.2 | wc -l
28
参考3:AmbariのJetty: /usr/lib/ambari-server/jetty-server-8.1.19.v20160209.jar
参考4:https://www.eclipse.org/jetty/documentation/9.4.x/configuring-ssl.html
TLS v1.2: The protocol which should be used wherever possible. All CBC based ciphers are supported since Java 7, the new GCM modes are supported since Java 8.
でも、ambari.propertiesのjava.homeを変更すると他のサービスのJAVA_HOMEも変わってしまう。
そこで、/usr/sbin/ambari_server_main.pyの"java_exe = get_java_exe_path()"(280行目あたり)を変更すると、どうやらJavaの実行ファイルを指定できる模様。
参考5:JVMが使えるCipherを表示する
https://confluence.atlassian.com/stashkb/list-ciphers-used-by-jvm-679609085.html
[root@sandbox ~]# wget https://confluence.atlassian.com/stashkb/files/679609085/679772359/1/1414093373406/Ciphers.java
[root@sandbox ~]# grep 'java.home' /etc/ambari-server/conf/ambari.properties
java.home=/usr/jdk64/jdk1.7.0_67
[root@sandbox ~]# /usr/jdk64/jdk1.7.0_67/bin/javac Ciphers.java
[root@sandbox ~]# /usr/jdk64/jdk1.7.0_67/bin/java Ciphers > jdk1.7_ciphers.out
TODO: 別の手段?
grep jdk.tls.disabledAlgorithms /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.101-3.b13.el6_8.x86_64/jre/lib/security/java.security
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
1)まずAmbariのSSLを有効にする
http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.3/bk_security/content/set_up_ssl_for_ambari.html
http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.3/bk_security/content/_set_up_truststore_for_ambari_server.html
設定用のスクリプトをダウンロード
[root@sandbox ~]# curl https://raw.githubusercontent.com/hajimeo/samples/master/bash/start_hdp.sh -O
[root@sandbox ~]# source ./start_hdp.sh
証明書を作成
[root@sandbox ~]# cd /etc/ambari-server/conf
[root@sandbox conf]# f_ssl_self_signed_cert "/C=AU/ST=QLD/O=Hortonworks/CN=sandbox.hortonworks.com" "server"
[root@sandbox conf]# ambari-server setup-security
Using python /usr/bin/python
Security setup options...
===========================================================================
Choose one of the following options:
[1] Enable HTTPS for Ambari server.
[2] Encrypt passwords stored in ambari.properties file.
[3] Setup Ambari kerberos JAAS configuration.
[4] Setup truststore.
[5] Import certificate to truststore.
===========================================================================
Enter choice, (1-5): 1
Do you want to configure HTTPS [y/n] (y)?
SSL port [8443] ? 8080 # NOTE: Sandboxの場合はKnoxとポートがかぶるので注意
Enter path to Certificate: /etc/ambari-server/conf/srever.crt
Enter path to Private Key: /etc/ambari-server/conf/srever.key
Please enter password for Private Key:
WARNING: Common Name in Certificate: sandbox.hortonworks.com does not match the server FQDN: ho-ubu03.openstacklocal
WARNING: Unable to validate Certificate hostname
Importing and saving Certificate...done.
Ambari server URL changed. To make use of the Tez View in Ambari please update the property tez.tez-ui.history-url.base in tez-site
Adjusting ambari-server permissions and ownership...
[root@sandbox conf]# ambari-server setup-security
Using python /usr/bin/python
Security setup options...
===========================================================================
Choose one of the following options:
[1] Enable HTTPS for Ambari server.
[2] Encrypt passwords stored in ambari.properties file.
[3] Setup Ambari kerberos JAAS configuration.
[4] Setup truststore.
[5] Import certificate to truststore.
===========================================================================
Enter choice, (1-5): 4
Do you want to configure a truststore [y/n] (y)?
TrustStore type [jks/jceks/pkcs12] (jks):jks
Path to TrustStore file :/etc/ambari-server/conf/ambari-srever.jks
Password for TrustStore: (changeit)
Re-enter password: (changeit)
Ambari Server 'setup-security' completed successfully.
[root@sandbox conf]# keytool -import -file ./server.crt -alias ambari-server -noprompt -storepass changeit -keypass hadoop -keystore /etc/ambari-server/conf/ambari-srever.jks
[root@sandbox conf]# ambari-server restart
この時点でAmbariにSSL(HTTPS)でアクセスできるか確認
2)ambari.propertiesを編集して、またrestart
security.server.disabled.protocols=TLSv1.1|SSLv2Hello|SSLv3
https://issues.apache.org/jira/browse/AMBARI-17666 のため、TLSv1はdisableしない
TODO: security.server.disabled.ciphersは?
root@ho-ubu03:~# ./test_ciphers.sh sandbox.hortonworks.com 8080 2>/dev/null
Obtaining cipher list from sandbox.hortonworks.com:8080 with OpenSSL 1.0.1f 6 Jan 2014.
ECDHE-RSA-AES256-GCM-SHA384 YES
ECDHE-RSA-AES256-SHA384 YES
ECDHE-RSA-AES256-SHA YES
DHE-RSA-AES256-GCM-SHA384 YES
DHE-RSA-AES256-SHA256 YES
DHE-RSA-AES256-SHA YES
AES256-GCM-SHA384 YES
AES256-SHA256 YES
AES256-SHA YES
ECDHE-RSA-DES-CBC3-SHA YES
EDH-RSA-DES-CBC3-SHA YES
DES-CBC3-SHA YES
ECDHE-RSA-AES128-GCM-SHA256 YES
ECDHE-RSA-AES128-SHA256 YES
ECDHE-RSA-AES128-SHA YES
DHE-RSA-AES128-GCM-SHA256 YES
DHE-RSA-AES128-SHA256 YES
DHE-RSA-AES128-SHA YES
AES128-GCM-SHA256 YES
AES128-SHA256 YES
AES128-SHA YES
root@ho-ubu03:~# echo -n | openssl s_client -connect sandbox.hortonworks.com:8080 -tls1_2
参考1:設定可能な値
factory.setIncludeProtocols(new String[] {"SSLv2Hello","SSLv3","TLSv1","TLSv1.1","TLSv1.2"});
参考2:TLSv1.2のCipherリストを表示には
[root@sandbox ~]# openssl ciphers -v | grep TLSv1.2 | wc -l
28
参考3:AmbariのJetty: /usr/lib/ambari-server/jetty-server-8.1.19.v20160209.jar
参考4:https://www.eclipse.org/jetty/documentation/9.4.x/configuring-ssl.html
TLS v1.2: The protocol which should be used wherever possible. All CBC based ciphers are supported since Java 7, the new GCM modes are supported since Java 8.
でも、ambari.propertiesのjava.homeを変更すると他のサービスのJAVA_HOMEも変わってしまう。
そこで、/usr/sbin/ambari_server_main.pyの"java_exe = get_java_exe_path()"(280行目あたり)を変更すると、どうやらJavaの実行ファイルを指定できる模様。
参考5:JVMが使えるCipherを表示する
https://confluence.atlassian.com/stashkb/list-ciphers-used-by-jvm-679609085.html
[root@sandbox ~]# wget https://confluence.atlassian.com/stashkb/files/679609085/679772359/1/1414093373406/Ciphers.java
[root@sandbox ~]# grep 'java.home' /etc/ambari-server/conf/ambari.properties
java.home=/usr/jdk64/jdk1.7.0_67
[root@sandbox ~]# /usr/jdk64/jdk1.7.0_67/bin/javac Ciphers.java
[root@sandbox ~]# /usr/jdk64/jdk1.7.0_67/bin/java Ciphers > jdk1.7_ciphers.out
TODO: 別の手段?
grep jdk.tls.disabledAlgorithms /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.101-3.b13.el6_8.x86_64/jre/lib/security/java.security
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
0 件のコメント:
コメントを投稿