HADOOP-14083. KMS should support old SSL clients. (John Zhuge via Lei Xu)

This commit is contained in:
Lei Xu 2017-02-27 18:12:00 -08:00
parent 1eec911cd9
commit d440ad46b5
6 changed files with 84 additions and 16 deletions

View File

@ -394,6 +394,9 @@
<delete dir="${project.build.directory}/tomcat.exp"/>
<delete dir="${kms.tomcat.dist.dir}/webapps"/>
<mkdir dir="${kms.tomcat.dist.dir}/webapps"/>
<delete file="${kms.tomcat.dist.dir}/conf/catalina-default.properties"/>
<copy file="${basedir}/src/main/tomcat/catalina-default.properties"
toDir="${kms.tomcat.dist.dir}/conf"/>
<delete file="${kms.tomcat.dist.dir}/conf/server.xml"/>
<copy file="${basedir}/src/main/tomcat/server.xml"
toDir="${kms.tomcat.dist.dir}/conf"/>

View File

@ -66,6 +66,10 @@
#
# export KMS_MAX_HTTP_HEADER_SIZE=65536
# The comma separated list of encryption ciphers for SSL
#
# export KMS_SSL_CIPHERS=
# The location of the SSL keystore if using SSL
#
# export KMS_SSL_KEYSTORE_FILE=${HOME}/.keystore

View File

@ -56,7 +56,10 @@ print "Setting KMS_HOME: ${KMS_HOME}"
if [ -e "${KMS_HOME}/bin/kms-env.sh" ]; then
print "Sourcing: ${KMS_HOME}/bin/kms-env.sh"
source ${KMS_HOME}/bin/kms-env.sh
grep "^ *export " ${KMS_HOME}/bin/kms-env.sh | sed 's/ *export/ setting/'
if [ "${KMS_SILENT}" != "true" ]; then
grep "^ *export " "${KMS_HOME}/bin/kms-env.sh" |
sed 's/ *export/ setting/'
fi
fi
# verify that the sourced env file didn't change KMS_HOME
@ -81,7 +84,10 @@ kms_config=${KMS_CONFIG}
if [ -e "${KMS_CONFIG}/kms-env.sh" ]; then
print "Sourcing: ${KMS_CONFIG}/kms-env.sh"
source ${KMS_CONFIG}/kms-env.sh
grep "^ *export " ${KMS_CONFIG}/kms-env.sh | sed 's/ *export/ setting/'
if [ "${KMS_SILENT}" != "true" ]; then
grep "^ *export " "${KMS_CONFIG}/kms-env.sh" |
sed 's/ *export/ setting/'
fi
fi
# verify that the sourced env file didn't change KMS_HOME
@ -171,6 +177,31 @@ else
print "Using KMS_MAX_HTTP_HEADER_SIZE: ${KMS_MAX_HTTP_HEADER_SIZE}"
fi
if [ "${KMS_SSL_CIPHERS}" = "" ]; then
export KMS_SSL_CIPHERS="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
KMS_SSL_CIPHERS+=",TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
KMS_SSL_CIPHERS+=",TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
KMS_SSL_CIPHERS+=",TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
KMS_SSL_CIPHERS+=",TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384"
KMS_SSL_CIPHERS+=",TLS_ECDH_RSA_WITH_AES_256_CBC_SHA"
KMS_SSL_CIPHERS+=",TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256"
KMS_SSL_CIPHERS+=",TLS_ECDH_RSA_WITH_AES_128_CBC_SHA"
KMS_SSL_CIPHERS+=",TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA"
KMS_SSL_CIPHERS+=",TLS_RSA_WITH_AES_256_CBC_SHA256"
KMS_SSL_CIPHERS+=",TLS_RSA_WITH_AES_256_CBC_SHA"
KMS_SSL_CIPHERS+=",TLS_RSA_WITH_AES_128_CBC_SHA256"
KMS_SSL_CIPHERS+=",TLS_RSA_WITH_AES_128_CBC_SHA"
KMS_SSL_CIPHERS+=",TLS_RSA_WITH_3DES_EDE_CBC_SHA"
KMS_SSL_CIPHERS+=",TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"
KMS_SSL_CIPHERS+=",TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
KMS_SSL_CIPHERS+=",TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"
KMS_SSL_CIPHERS+=",TLS_DHE_RSA_WITH_AES_128_CBC_SHA"
KMS_SSL_CIPHERS+=",TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA"
print "Setting KMS_SSL_CIPHERS: ${KMS_SSL_CIPHERS}"
else
print "Using KMS_SSL_CIPHERS: ${KMS_SSL_CIPHERS}"
fi
if [ "${KMS_SSL_KEYSTORE_FILE}" = "" ]; then
export KMS_SSL_KEYSTORE_FILE=${HOME}/.keystore
print "Setting KMS_SSL_KEYSTORE_FILE: ${KMS_SSL_KEYSTORE_FILE}"

View File

@ -59,18 +59,6 @@ CATALINA_OPTS_DISP=`echo ${CATALINA_OPTS} | sed -e 's/trustStorePassword=[^ ]*/t
print "Using CATALINA_OPTS: ${CATALINA_OPTS_DISP}"
catalina_opts="-Dproc_kms"
catalina_opts="${catalina_opts} -Dkms.home.dir=${KMS_HOME}";
catalina_opts="${catalina_opts} -Dkms.config.dir=${KMS_CONFIG}";
catalina_opts="${catalina_opts} -Dkms.log.dir=${KMS_LOG}";
catalina_opts="${catalina_opts} -Dkms.temp.dir=${KMS_TEMP}";
catalina_opts="${catalina_opts} -Dkms.admin.port=${KMS_ADMIN_PORT}";
catalina_opts="${catalina_opts} -Dkms.http.port=${KMS_HTTP_PORT}";
catalina_opts="${catalina_opts} -Dkms.protocol=${KMS_PROTOCOL}";
catalina_opts="${catalina_opts} -Dkms.max.threads=${KMS_MAX_THREADS}";
catalina_opts="${catalina_opts} -Dkms.accept.count=${KMS_ACCEPT_COUNT}";
catalina_opts="${catalina_opts} -Dkms.acceptor.thread.count=${KMS_ACCEPTOR_THREAD_COUNT}";
catalina_opts="${catalina_opts} -Dkms.max.http.header.size=${KMS_MAX_HTTP_HEADER_SIZE}";
catalina_opts="${catalina_opts} -Dkms.ssl.keystore.file=${KMS_SSL_KEYSTORE_FILE}";
catalina_opts="${catalina_opts} -Djava.library.path=${JAVA_LIBRARY_PATH}";
print "Adding to CATALINA_OPTS: ${catalina_opts}"
@ -78,6 +66,39 @@ print "Found KMS_SSL_KEYSTORE_PASS: `echo ${KMS_SSL_KEYSTORE_PASS} | sed 's/
export CATALINA_OPTS="${CATALINA_OPTS} ${catalina_opts}"
catalina_init_properties() {
cp "${CATALINA_BASE}/conf/catalina-default.properties" \
"${CATALINA_BASE}/conf/catalina.properties"
}
catalina_set_property() {
local key=$1
local value=$2
[[ -z "${value}" ]] && return
local disp_value="${3:-${value}}"
print "Setting catalina property ${key} to ${disp_value}"
echo "${key}=${value}" >> "${CATALINA_BASE}/conf/catalina.properties"
}
if [[ "${1}" = "start" || "${1}" = "run" ]]; then
catalina_init_properties
catalina_set_property "kms.home.dir" "${KMS_HOME}"
catalina_set_property "kms.config.dir" "${KMS_CONFIG}"
catalina_set_property "kms.log.dir" "${KMS_LOG}"
catalina_set_property "kms.temp.dir" "${KMS_TEMP}"
catalina_set_property "kms.admin.port" "${KMS_ADMIN_PORT}"
catalina_set_property "kms.http.port" "${KMS_HTTP_PORT}"
catalina_set_property "kms.protocol" "${KMS_PROTOCOL}"
catalina_set_property "kms.max.threads" "${KMS_MAX_THREADS}"
catalina_set_property "kms.accept.count" "${KMS_ACCEPT_COUNT}"
catalina_set_property "kms.acceptor.thread.count" \
"${KMS_ACCEPTOR_THREAD_COUNT}"
catalina_set_property "kms.max.http.header.size" \
"${KMS_MAX_HTTP_HEADER_SIZE}"
catalina_set_property "kms.ssl.ciphers" "${KMS_SSL_CIPHERS}"
catalina_set_property "kms.ssl.keystore.file" "${KMS_SSL_KEYSTORE_FILE}"
fi
# A bug in catalina.sh script does not use CATALINA_OPTS for stopping the server
#
if [ "${1}" = "stop" ]; then
@ -95,4 +116,8 @@ if [ ! "${KMS_SSL_KEYSTORE_PASS}" = "" ] || [ ! "${KMS_SSL_TRUSTSTORE_PASS}" = "
| sed 's/"_kms_ssl_truststore_pass_"/'"\"${KMS_SSL_TRUSTSTORE_PASS_ESCAPED}\""'/g' > ${CATALINA_BASE}/conf/ssl-server.xml
fi
exec ${KMS_CATALINA_HOME}/bin/catalina.sh "$@"
if [ "${KMS_SILENT}" != "true" ]; then
exec "${KMS_CATALINA_HOME}/bin/catalina.sh" "$@"
else
exec "${KMS_CATALINA_HOME}/bin/catalina.sh" "$@" > /dev/null
fi

View File

@ -74,6 +74,7 @@
acceptorThreadCount="${kms.acceptor.thread.count}"
maxHttpHeaderSize="${kms.max.http.header.size}"
clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"
ciphers="${kms.ssl.ciphers}"
truststorePass="_kms_ssl_truststore_pass_"
keystoreFile="${kms.ssl.keystore.file}"
keystorePass="_kms_ssl_keystore_pass_"/>

View File

@ -301,7 +301,11 @@ The answer to "What is your first and last name?" (i.e. "CN") must be the hostna
NOTE: You need to restart the KMS for the configuration changes to take effect.
NOTE: Some old SSL clients may use weak ciphers that are not supported by the KMS server. It is recommended to upgrade the SSL client.
In order to support some old SSL clients, the default encryption ciphers
include a few relatively weaker ciphers. Set environment variable
`KMS_SSL_CIPHERS` or property `kms.ssl.ciphers` to override. The value is a
comma separated list of ciphers documented in this
[Tomcat Wiki](https://wiki.apache.org/tomcat/Security/Ciphers).
$H4 ACLs (Access Control Lists)