How to disable specific SSL ciphers in the MapR Control System (MCS) and included Hadoop webservers

Document created by jbubier Employee on Feb 7, 2016
Version 1Show Document
  • View in full screen mode

Author: Jonathan Bubier

 

Original Publication Date: November 10, 2014

 

The MapR Control System uses HTTPS for secure transport between the webserver host and a client connecting via a browser or the REST API.  Due to known weaknesses the following SSL ciphers are excluded by default and cannot be used by a client to communicate securely with the MapR webserver.  Note the NSS naming convention is provided first and the OpenSSL naming convention is provided in parentheses. 

SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (EXP-EDH-RSA-DES-CBC-SHA) 
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA (EXP-DES-CBC-SHA)
SSL_RSA_EXPORT_WITH_RC4_40_MD5 (EXP-RC4-MD5)

If additional ciphers need to be blocked due to either restrictive internal security policy or to discovered vulnerabilities (i.e. the POODLE vulnerability in SSLv3) they can be added to the MapR configuration.  The appropriate configuration file to specify the added ciphers differs based on the MapR version. 

 

For MapR v3.0.x and earlier
The list of excluded ciphers is located in /opt/mapr/conf/web.conf on each node with the webserver role installed.  Ex:

# cat /opt/mapr/conf/web.conf 
web.host=0.0.0.0
mapr.headerbuffer.size=16384
mapr.webui.timeout=1800
# HTTPS Settings mapr.webui.https.port=8443
mapr.webui.https.keystorepath=/opt/mapr/adminuiapp/webapp/WEB-INF/ssl_keystore
mapr.webui.https.keystorepassword=mapr123
mapr.webui.https.excludeciphers=SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_RSA_EXPORT_WITH_RC4_40_MD5
# PAM settings. The following profiles in /etc/pam.d (or the PAM directory
# of the distribution) will be probed for user authentication, in the profiles specified
mapr.webui.auth.pam.profiles=mapr-admin,sudo,sshd


1. To add a new cipher to the list use the NSS naming convention and append to the 'mapr.webui.https.excludeciphers' line.  The following reference can be used to translate the OpenSSL cipher name to the NSS name: https://wiki.mozilla.org/Security/Server_Side_TLS#Cipher_names_correspondence_table.  Note that the entries are comma separated on this line in /opt/mapr/conf/web.conf. 

 

2. Once web.conf is updated on the webserver node(s) restart the webserver service using the following:

# maprcli node services [csvc==webserver] -webserver restart

This will restart the webserver service on all nodes with the webserver role installed. 

3. After the restart verify the added cipher is present in /opt/mapr/logs/adminuiapp.log in the excluded ciphers list.  Ex:

 

2014-11-04 12:02:13,425 INFO  com.mapr.adminuiapp.CommandServer [main]: Initializing Web Server
2014-11-04 12:02:13,515 INFO  com.mapr.adminuiapp.CommandServer [main]: MapR BuildVersion: null
2014-11-04 12:02:13,515 INFO  com.mapr.adminuiapp.CommandServer [main]: Loading properties file : /opt/mapr/conf/web.conf
2014-11-04 12:02:13,816 INFO  org.mortbay.log [main]: Logging to org.slf4j.impl.Log4jLoggerAdapter(org.mortbay.log) via org.mortbay.log.Slf4jLog
2014-11-04 12:02:13,921 INFO  org.mortbay.log [main]: jetty-6.1.26
2014-11-04 12:02:14,581 WARN  com.mapr.adminuiapp.common.HttpListener [main]: Failed to start http. One or more parameters missing in configuration: web.host, mapr.webui.http.port
2014-11-04 12:02:14,608 INFO  com.mapr.adminuiapp.common.HttpsListener [main]: Excluded ciphers: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
2014-11-04 12:02:14,995 INFO  org.mortbay.log [main]: Started SslSocketConnector@0.0.0.0:8443

 

In the above example SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA was added to /opt/mapr/conf/web.conf and it can be seen after a restart in /opt/mapr/logs/adminuiapp.log.

 

4. Verify that the newly added cipher can no longer be used when connecting to the MapR webserver.  Ex:

 

# openssl s_client -cipher EDH-RSA-DES-CBC3-SHA -connect <hostname>:8443 -ssl3 CONNECTED(00000003) 139705758512968:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1193:SSL alert number 40 139705758512968:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:590:


In the above replace <hostname> with the hostname of one of the nodes running the MCS in the cluster.  Note that EDH-RSA-DES-CBC3-SHA is the OpenSSL name for SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, the cipher newly added to the excluded list.  The handshake failure in the output indicates that the specified cipher can no longer be used to secure communication with the webserver. 

 

For MapR v3.1 and later
In MapR v3.1 and later the excluded ciphers configuration for the MCS is no longer in /opt/mapr/conf/web.conf.  As all webservers (MCS/JobTracker/TaskTracker/CLDB) support HTTPS in MapR v3.1 and above this configuration is no longer unique to the MapR webserver and will affect all webservers in MapR.

 

1. To modify the configuration for all webservers place the following property in /opt/mapr/hadoop/hadoop-0.20.2/conf/core-site.xml:

 

<property> <name>hadoop.ssl.exclude.cipher.suites</name><value>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_RSA_EXPORT_WITH_RC4_40_MD5</value> </property>

 

2. To add a new cipher to the list use the NSS naming convention and append to the 'hadoop.ssl.exclude.cipher.suites' line.  The following reference can be used to translate the OpenSSL cipher name to the NSS name: https://wiki.mozilla.org/Security/Server_Side_TLS#Cipher_names_correspondence_table.  Note that the entries are comma separated on this line in /opt/mapr/hadoop/hadoop-0.20.2/conf/core-site.xml. 

 

3.  Repeat steps 2-4 above under the For MapR v3.0.x and earlier section to restart the webserver, verify the change has been picked up in /opt/mapr/logs/adminuiapp.log and verify the change is effective using the openssl command line. 

 

Note that due to a known issue in MapR v4.0.1 the configuration of hadoop.ssl.exclude.cipher.suites is not honored and cannot be used to add excluded ciphers.  This issue will be addressed in the MapR v4.0.2 release.  The reference number for this issue is 15822.  This issue does not affect any earlier MapR releases. 

Attachments

    Outcomes