ATLAS-349 SSL - Atlas SSL connection has weak/unsafe Ciphers suites (ndjouhr via shwethags)

95590d23 · Shwetha GS · 648c8d8f · 95590d23 · 95590d23 · 95590d23
Commit 95590d23 authored Feb 22, 2016 by Shwetha GS
4 changed files
--- a/client/src/main/java/org/apache/atlas/security/SecurityProperties.java
+++ b/client/src/main/java/org/apache/atlas/security/SecurityProperties.java
@@ -17,6 +17,9 @@
 */
 package org.apache.atlas.security;
+import java.util.Arrays;
+import java.util.List;
 /**
 *
 */
@@ -33,4 +36,7 @@ public interface SecurityProperties {
    String CERT_STORES_CREDENTIAL_PROVIDER_PATH = "cert.stores.credential.provider.path";
    String SSL_CLIENT_PROPERTIES = "ssl-client.xml";
    String BIND_ADDRESS = "atlas.server.bind.address";
+    String ATLAS_SSL_EXCLUDE_CIPHER_SUITES = "atlas.ssl.exclude.cipher.suites";
+    List<String> DEFAULT_CIPHER_SUITES = Arrays.asList(".*NULL.*", ".*RC4.*", ".*MD5.*",".*DES.*",".*DSS.*");
 }
--- a/docs/src/site/twiki/security.twiki
+++ b/docs/src/site/twiki/security.twiki
@@ -17,6 +17,7 @@ Both SSL one-way (server authentication) and two-way (server and client authenti
   * <code>truststore.file</code> - the path to the truststore file. This file contains the certificates of other trusted entities (e.g. the certificates for client processes if two-way SSL is enabled).  In most instances this can be set to the same value as the keystore.file property (especially if one-way SSL is enabled).
   * <code>client.auth.enabled</code> (false|true) [default: false] - enable/disable client authentication.  If enabled, the client will have to authenticate to the server during the transport session key creation process (i.e. two-way SSL is in effect).
   * <code>cert.stores.credential.provider.path</code> - the path to the Credential Provider store file.  The passwords for the keystore, truststore, and server certificate are maintained in this secure file.  Utilize the cputil script in the 'bin' directoy (see below) to populate this file with the passwords required. 
+   * <code>atlas.ssl.exclude.cipher.suites</code> - the excluded Cipher Suites list -  *NULL.*,.*RC4.*,.*MD5.*,.*DES.*,.*DSS.* are weak and unsafe Cipher Suites that are excluded by default. If additional Ciphers need to be excluded, set this property with the default Cipher Suites such as atlas.ssl.exclude.cipher.suites=.*NULL.*, .*RC4.*, .*MD5.*, .*DES.*, .*DSS.*, and add the additional Ciper Suites to the list with a comma separator. They can be added with their full name or a regular expression. The Cipher Suites listed in the atlas.ssl.exclude.cipher.suites property will have precedence over the default Cipher Suites. One would keep the default Cipher Suites, and add additional ones to be safe. 
 ---++++ Credential Provider Utility Script

--- a/release-log.txt
+++ b/release-log.txt
@@ -5,6 +5,7 @@ Apache Atlas Release Notes
 INCOMPATIBLE CHANGES:
 ATLAS-409 Atlas will not import avro tables with schema read from a file (dossett@gmail.com via shwethags)
 ATLAS-379 Create sqoop and falcon metadata addons (venkatnrangan,bvellanki,sowmyaramesh via shwethags)
+ATLAS-349 SSL - Atlas SSL connection has weak/unsafe Ciphers suites (ndjouhr via shwethags)
 ALL CHANGES:
 ATLAS-318 Config file conatining API endpoint + all api calls to be centralized (sanjayp via sumasai)

--- a/webapp/src/main/java/org/apache/atlas/web/service/SecureEmbeddedServer.java
+++ b/webapp/src/main/java/org/apache/atlas/web/service/SecureEmbeddedServer.java
@@ -35,6 +35,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import java.io.IOException;
+import java.util.List;
 import static org.apache.atlas.security.SecurityProperties.CERT_STORES_CREDENTIAL_PROVIDER_PATH;
 import static org.apache.atlas.security.SecurityProperties.CLIENT_AUTH_KEY;
@@ -45,6 +46,8 @@ import static org.apache.atlas.security.SecurityProperties.KEYSTORE_PASSWORD_KEY
 import static org.apache.atlas.security.SecurityProperties.SERVER_CERT_PASSWORD_KEY;
 import static org.apache.atlas.security.SecurityProperties.TRUSTSTORE_FILE_KEY;
 import static org.apache.atlas.security.SecurityProperties.TRUSTSTORE_PASSWORD_KEY;
+import static org.apache.atlas.security.SecurityProperties.ATLAS_SSL_EXCLUDE_CIPHER_SUITES;
+import static org.apache.atlas.security.SecurityProperties.DEFAULT_CIPHER_SUITES;
 /**
 * This is a jetty server which requires client auth via certificates.
@@ -62,14 +65,18 @@ public class SecureEmbeddedServer extends EmbeddedServer {
        SslContextFactory sslContextFactory = new SslContextFactory();
        sslContextFactory.setKeyStorePath(config.getString(KEYSTORE_FILE_KEY,
-            System.getProperty(KEYSTORE_FILE_KEY, DEFAULT_KEYSTORE_FILE_LOCATION)));
+                System.getProperty(KEYSTORE_FILE_KEY, DEFAULT_KEYSTORE_FILE_LOCATION)));
        sslContextFactory.setKeyStorePassword(getPassword(config, KEYSTORE_PASSWORD_KEY));
        sslContextFactory.setKeyManagerPassword(getPassword(config, SERVER_CERT_PASSWORD_KEY));
        sslContextFactory.setTrustStorePath(config.getString(TRUSTSTORE_FILE_KEY,
-            System.getProperty(TRUSTSTORE_FILE_KEY, DEFATULT_TRUSTORE_FILE_LOCATION)));
+                System.getProperty(TRUSTSTORE_FILE_KEY, DEFATULT_TRUSTORE_FILE_LOCATION)));
        sslContextFactory.setTrustStorePassword(getPassword(config, TRUSTSTORE_PASSWORD_KEY));
        sslContextFactory.setWantClientAuth(config.getBoolean(CLIENT_AUTH_KEY, Boolean.getBoolean(CLIENT_AUTH_KEY)));
+        List<Object> cipherList = config.getList(ATLAS_SSL_EXCLUDE_CIPHER_SUITES, DEFAULT_CIPHER_SUITES);
+        sslContextFactory.setExcludeCipherSuites(cipherList.toArray(new String[cipherList.size()]));
+        sslContextFactory.setRenegotiationAllowed(false);
        // SSL HTTP Configuration
        // HTTP Configuration
        HttpConfiguration http_config = new HttpConfiguration();