HADOOP-14083. KMS should support old SSL clients. (John Zhuge via Lei Xu)

This commit is contained in:
Lei Xu 2017-02-27 18:12:00 -08:00
parent 1eec911cd9
commit d440ad46b5
6 changed files with 84 additions and 16 deletions

View File

@ -394,6 +394,9 @@
<delete dir="${project.build.directory}/tomcat.exp"/> <delete dir="${project.build.directory}/tomcat.exp"/>
<delete dir="${kms.tomcat.dist.dir}/webapps"/> <delete dir="${kms.tomcat.dist.dir}/webapps"/>
<mkdir dir="${kms.tomcat.dist.dir}/webapps"/> <mkdir dir="${kms.tomcat.dist.dir}/webapps"/>
<delete file="${kms.tomcat.dist.dir}/conf/catalina-default.properties"/>
<copy file="${basedir}/src/main/tomcat/catalina-default.properties"
toDir="${kms.tomcat.dist.dir}/conf"/>
<delete file="${kms.tomcat.dist.dir}/conf/server.xml"/> <delete file="${kms.tomcat.dist.dir}/conf/server.xml"/>
<copy file="${basedir}/src/main/tomcat/server.xml" <copy file="${basedir}/src/main/tomcat/server.xml"
toDir="${kms.tomcat.dist.dir}/conf"/> toDir="${kms.tomcat.dist.dir}/conf"/>

View File

@ -66,6 +66,10 @@
# #
# export KMS_MAX_HTTP_HEADER_SIZE=65536 # export KMS_MAX_HTTP_HEADER_SIZE=65536
# The comma separated list of encryption ciphers for SSL
#
# export KMS_SSL_CIPHERS=
# The location of the SSL keystore if using SSL # The location of the SSL keystore if using SSL
# #
# export KMS_SSL_KEYSTORE_FILE=${HOME}/.keystore # export KMS_SSL_KEYSTORE_FILE=${HOME}/.keystore

View File

@ -56,7 +56,10 @@ print "Setting KMS_HOME: ${KMS_HOME}"
if [ -e "${KMS_HOME}/bin/kms-env.sh" ]; then if [ -e "${KMS_HOME}/bin/kms-env.sh" ]; then
print "Sourcing: ${KMS_HOME}/bin/kms-env.sh" print "Sourcing: ${KMS_HOME}/bin/kms-env.sh"
source ${KMS_HOME}/bin/kms-env.sh source ${KMS_HOME}/bin/kms-env.sh
grep "^ *export " ${KMS_HOME}/bin/kms-env.sh | sed 's/ *export/ setting/' if [ "${KMS_SILENT}" != "true" ]; then
grep "^ *export " "${KMS_HOME}/bin/kms-env.sh" |
sed 's/ *export/ setting/'
fi
fi fi
# verify that the sourced env file didn't change KMS_HOME # verify that the sourced env file didn't change KMS_HOME
@ -81,7 +84,10 @@ kms_config=${KMS_CONFIG}
if [ -e "${KMS_CONFIG}/kms-env.sh" ]; then if [ -e "${KMS_CONFIG}/kms-env.sh" ]; then
print "Sourcing: ${KMS_CONFIG}/kms-env.sh" print "Sourcing: ${KMS_CONFIG}/kms-env.sh"
source ${KMS_CONFIG}/kms-env.sh source ${KMS_CONFIG}/kms-env.sh
grep "^ *export " ${KMS_CONFIG}/kms-env.sh | sed 's/ *export/ setting/' if [ "${KMS_SILENT}" != "true" ]; then
grep "^ *export " "${KMS_CONFIG}/kms-env.sh" |
sed 's/ *export/ setting/'
fi
fi fi
# verify that the sourced env file didn't change KMS_HOME # verify that the sourced env file didn't change KMS_HOME
@ -171,6 +177,31 @@ else
print "Using KMS_MAX_HTTP_HEADER_SIZE: ${KMS_MAX_HTTP_HEADER_SIZE}" print "Using KMS_MAX_HTTP_HEADER_SIZE: ${KMS_MAX_HTTP_HEADER_SIZE}"
fi fi
if [ "${KMS_SSL_CIPHERS}" = "" ]; then
export KMS_SSL_CIPHERS="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
KMS_SSL_CIPHERS+=",TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
KMS_SSL_CIPHERS+=",TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
KMS_SSL_CIPHERS+=",TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
KMS_SSL_CIPHERS+=",TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384"
KMS_SSL_CIPHERS+=",TLS_ECDH_RSA_WITH_AES_256_CBC_SHA"
KMS_SSL_CIPHERS+=",TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256"
KMS_SSL_CIPHERS+=",TLS_ECDH_RSA_WITH_AES_128_CBC_SHA"
KMS_SSL_CIPHERS+=",TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA"
KMS_SSL_CIPHERS+=",TLS_RSA_WITH_AES_256_CBC_SHA256"
KMS_SSL_CIPHERS+=",TLS_RSA_WITH_AES_256_CBC_SHA"
KMS_SSL_CIPHERS+=",TLS_RSA_WITH_AES_128_CBC_SHA256"
KMS_SSL_CIPHERS+=",TLS_RSA_WITH_AES_128_CBC_SHA"
KMS_SSL_CIPHERS+=",TLS_RSA_WITH_3DES_EDE_CBC_SHA"
KMS_SSL_CIPHERS+=",TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"
KMS_SSL_CIPHERS+=",TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
KMS_SSL_CIPHERS+=",TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"
KMS_SSL_CIPHERS+=",TLS_DHE_RSA_WITH_AES_128_CBC_SHA"
KMS_SSL_CIPHERS+=",TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA"
print "Setting KMS_SSL_CIPHERS: ${KMS_SSL_CIPHERS}"
else
print "Using KMS_SSL_CIPHERS: ${KMS_SSL_CIPHERS}"
fi
if [ "${KMS_SSL_KEYSTORE_FILE}" = "" ]; then if [ "${KMS_SSL_KEYSTORE_FILE}" = "" ]; then
export KMS_SSL_KEYSTORE_FILE=${HOME}/.keystore export KMS_SSL_KEYSTORE_FILE=${HOME}/.keystore
print "Setting KMS_SSL_KEYSTORE_FILE: ${KMS_SSL_KEYSTORE_FILE}" print "Setting KMS_SSL_KEYSTORE_FILE: ${KMS_SSL_KEYSTORE_FILE}"

View File

@ -59,18 +59,6 @@ CATALINA_OPTS_DISP=`echo ${CATALINA_OPTS} | sed -e 's/trustStorePassword=[^ ]*/t
print "Using CATALINA_OPTS: ${CATALINA_OPTS_DISP}" print "Using CATALINA_OPTS: ${CATALINA_OPTS_DISP}"
catalina_opts="-Dproc_kms" catalina_opts="-Dproc_kms"
catalina_opts="${catalina_opts} -Dkms.home.dir=${KMS_HOME}";
catalina_opts="${catalina_opts} -Dkms.config.dir=${KMS_CONFIG}";
catalina_opts="${catalina_opts} -Dkms.log.dir=${KMS_LOG}";
catalina_opts="${catalina_opts} -Dkms.temp.dir=${KMS_TEMP}";
catalina_opts="${catalina_opts} -Dkms.admin.port=${KMS_ADMIN_PORT}";
catalina_opts="${catalina_opts} -Dkms.http.port=${KMS_HTTP_PORT}";
catalina_opts="${catalina_opts} -Dkms.protocol=${KMS_PROTOCOL}";
catalina_opts="${catalina_opts} -Dkms.max.threads=${KMS_MAX_THREADS}";
catalina_opts="${catalina_opts} -Dkms.accept.count=${KMS_ACCEPT_COUNT}";
catalina_opts="${catalina_opts} -Dkms.acceptor.thread.count=${KMS_ACCEPTOR_THREAD_COUNT}";
catalina_opts="${catalina_opts} -Dkms.max.http.header.size=${KMS_MAX_HTTP_HEADER_SIZE}";
catalina_opts="${catalina_opts} -Dkms.ssl.keystore.file=${KMS_SSL_KEYSTORE_FILE}";
catalina_opts="${catalina_opts} -Djava.library.path=${JAVA_LIBRARY_PATH}"; catalina_opts="${catalina_opts} -Djava.library.path=${JAVA_LIBRARY_PATH}";
print "Adding to CATALINA_OPTS: ${catalina_opts}" print "Adding to CATALINA_OPTS: ${catalina_opts}"
@ -78,6 +66,39 @@ print "Found KMS_SSL_KEYSTORE_PASS: `echo ${KMS_SSL_KEYSTORE_PASS} | sed 's/
export CATALINA_OPTS="${CATALINA_OPTS} ${catalina_opts}" export CATALINA_OPTS="${CATALINA_OPTS} ${catalina_opts}"
catalina_init_properties() {
cp "${CATALINA_BASE}/conf/catalina-default.properties" \
"${CATALINA_BASE}/conf/catalina.properties"
}
catalina_set_property() {
local key=$1
local value=$2
[[ -z "${value}" ]] && return
local disp_value="${3:-${value}}"
print "Setting catalina property ${key} to ${disp_value}"
echo "${key}=${value}" >> "${CATALINA_BASE}/conf/catalina.properties"
}
if [[ "${1}" = "start" || "${1}" = "run" ]]; then
catalina_init_properties
catalina_set_property "kms.home.dir" "${KMS_HOME}"
catalina_set_property "kms.config.dir" "${KMS_CONFIG}"
catalina_set_property "kms.log.dir" "${KMS_LOG}"
catalina_set_property "kms.temp.dir" "${KMS_TEMP}"
catalina_set_property "kms.admin.port" "${KMS_ADMIN_PORT}"
catalina_set_property "kms.http.port" "${KMS_HTTP_PORT}"
catalina_set_property "kms.protocol" "${KMS_PROTOCOL}"
catalina_set_property "kms.max.threads" "${KMS_MAX_THREADS}"
catalina_set_property "kms.accept.count" "${KMS_ACCEPT_COUNT}"
catalina_set_property "kms.acceptor.thread.count" \
"${KMS_ACCEPTOR_THREAD_COUNT}"
catalina_set_property "kms.max.http.header.size" \
"${KMS_MAX_HTTP_HEADER_SIZE}"
catalina_set_property "kms.ssl.ciphers" "${KMS_SSL_CIPHERS}"
catalina_set_property "kms.ssl.keystore.file" "${KMS_SSL_KEYSTORE_FILE}"
fi
# A bug in catalina.sh script does not use CATALINA_OPTS for stopping the server # A bug in catalina.sh script does not use CATALINA_OPTS for stopping the server
# #
if [ "${1}" = "stop" ]; then if [ "${1}" = "stop" ]; then
@ -95,4 +116,8 @@ if [ ! "${KMS_SSL_KEYSTORE_PASS}" = "" ] || [ ! "${KMS_SSL_TRUSTSTORE_PASS}" = "
| sed 's/"_kms_ssl_truststore_pass_"/'"\"${KMS_SSL_TRUSTSTORE_PASS_ESCAPED}\""'/g' > ${CATALINA_BASE}/conf/ssl-server.xml | sed 's/"_kms_ssl_truststore_pass_"/'"\"${KMS_SSL_TRUSTSTORE_PASS_ESCAPED}\""'/g' > ${CATALINA_BASE}/conf/ssl-server.xml
fi fi
exec ${KMS_CATALINA_HOME}/bin/catalina.sh "$@" if [ "${KMS_SILENT}" != "true" ]; then
exec "${KMS_CATALINA_HOME}/bin/catalina.sh" "$@"
else
exec "${KMS_CATALINA_HOME}/bin/catalina.sh" "$@" > /dev/null
fi

View File

@ -74,6 +74,7 @@
acceptorThreadCount="${kms.acceptor.thread.count}" acceptorThreadCount="${kms.acceptor.thread.count}"
maxHttpHeaderSize="${kms.max.http.header.size}" maxHttpHeaderSize="${kms.max.http.header.size}"
clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello" clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"
ciphers="${kms.ssl.ciphers}"
truststorePass="_kms_ssl_truststore_pass_" truststorePass="_kms_ssl_truststore_pass_"
keystoreFile="${kms.ssl.keystore.file}" keystoreFile="${kms.ssl.keystore.file}"
keystorePass="_kms_ssl_keystore_pass_"/> keystorePass="_kms_ssl_keystore_pass_"/>

View File

@ -301,7 +301,11 @@ The answer to "What is your first and last name?" (i.e. "CN") must be the hostna
NOTE: You need to restart the KMS for the configuration changes to take effect. NOTE: You need to restart the KMS for the configuration changes to take effect.
NOTE: Some old SSL clients may use weak ciphers that are not supported by the KMS server. It is recommended to upgrade the SSL client. In order to support some old SSL clients, the default encryption ciphers
include a few relatively weaker ciphers. Set environment variable
`KMS_SSL_CIPHERS` or property `kms.ssl.ciphers` to override. The value is a
comma separated list of ciphers documented in this
[Tomcat Wiki](https://wiki.apache.org/tomcat/Security/Ciphers).
$H4 ACLs (Access Control Lists) $H4 ACLs (Access Control Lists)