AMBARI-7980. Create ability to disable ciphers for https connections in Ambari. (dlysnichenko)

ambari-server/conf/unix/ambari.properties

@@ -17,6 +17,7 @@
 # limitations under the License.
 
 security.server.keys_dir = /var/lib/ambari-server/keys
+#security.server.disabled.ciphers=SSL_RSA_WITH_DES_CBC_SHA|SSL_RSA_EXPORT_WITH_RC4_40_MD5|SSL_DHE_RSA_WITH_DES_CBC_SHA|SSL_DHE_DSS_WITH_DES_CBC_SHA|SSL_RSA_EXPORT_WITH_DES40_CBC_SHA|SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA|SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA|SSL_RSA_WITH_3DES_EDE_CBC_SHA|SSL_DHE_RSA_WITH_DES_CBC_SHA
 resources.dir = /var/lib/ambari-server/resources
 shared.resources.dir = /usr/lib/ambari-server/lib/ambari_commons/resources
 custom.action.definitions = /var/lib/ambari-server/resources/custom_action_definitions

ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java

@@ -90,6 +90,7 @@ public class Configuration {
   public static final String PASSPHRASE_ENV_KEY =
       "security.server.passphrase_env_var";
   public static final String PASSPHRASE_KEY = "security.server.passphrase";
+  public static final String SRVR_DISABLED_CIPHERS = "security.server.disabled.ciphers";
   public static final String RESOURCES_DIR_KEY = "resources.dir";
   public static final String METADETA_DIR_PATH = "metadata.path";
   public static final String SERVER_VERSION_FILE = "server.version.file";
@@ -259,6 +260,7 @@ public class Configuration {
   private static final String API_CSRF_PREVENTION_DEFAULT = "true";
   private static final String SRVR_CRT_PASS_FILE_DEFAULT = "pass.txt";
   private static final String SRVR_CRT_PASS_LEN_DEFAULT = "50";
+  private static final String SRVR_DISABLED_CIPHERS_DEFAULT = "";
   private static final String PASSPHRASE_ENV_DEFAULT = "AMBARI_PASSPHRASE";
   private static final String RESOURCES_DIR_DEFAULT =
       "/var/lib/ambari-server/resources/";
@@ -362,6 +364,8 @@ public class Configuration {
         RESOURCES_DIR_KEY, RESOURCES_DIR_DEFAULT));
     configsMap.put(SRVR_CRT_PASS_LEN_KEY, properties.getProperty(
         SRVR_CRT_PASS_LEN_KEY, SRVR_CRT_PASS_LEN_DEFAULT));
+    configsMap.put(SRVR_DISABLED_CIPHERS, properties.getProperty(
+            SRVR_DISABLED_CIPHERS, SRVR_DISABLED_CIPHERS_DEFAULT));
 
     configsMap.put(CLIENT_API_SSL_KSTR_DIR_NAME_KEY, properties.getProperty(
       CLIENT_API_SSL_KSTR_DIR_NAME_KEY, configsMap.get(SRVR_KSTR_DIR_KEY)));
@@ -918,6 +922,12 @@ public class Configuration {
     return defaultDir + File.separator + MASTER_KEY_FILENAME_DEFAULT;
   }
 
+  public String getSrvrDisabledCiphers() {
+    String disabledCiphers = properties.getProperty(SRVR_DISABLED_CIPHERS,
+            properties.getProperty(SRVR_DISABLED_CIPHERS, SRVR_DISABLED_CIPHERS_DEFAULT));
+    return disabledCiphers.trim();
+  }
+
   public int getOneWayAuthPort() {
     return Integer.parseInt(properties.getProperty(SRVR_ONE_WAY_SSL_PORT_KEY, String.valueOf(SRVR_ONE_WAY_SSL_PORT_DEFAULT)));
   }

ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java

@@ -140,6 +140,7 @@ public class AmbariServer {
   final String CONTEXT_PATH = "/";
   final String SPRING_CONTEXT_LOCATION =
       "classpath:/webapp/WEB-INF/spring-security.xml";
+  final String DISABLED_CIPHERS_SPLITTER = "\\|";
 
   @Inject
   Configuration configs;
@@ -290,8 +291,13 @@ public class AmbariServer {
 
 
       //Secured connector for 2-way auth
+      SslContextFactory contextFactoryTwoWay = new SslContextFactory();
+      if (! configs.getSrvrDisabledCiphers().isEmpty()) {
+        String [] masks = configs.getSrvrDisabledCiphers().split(DISABLED_CIPHERS_SPLITTER);
+        contextFactoryTwoWay.setExcludeCipherSuites(masks);
+      }
       SslSelectChannelConnector sslConnectorTwoWay = new
-          SslSelectChannelConnector();
+          SslSelectChannelConnector(contextFactoryTwoWay);
       sslConnectorTwoWay.setPort(configs.getTwoWayAuthPort());
 
       Map<String, String> configsMap = configs.getConfigsMap();
@@ -308,18 +314,22 @@ public class AmbariServer {
       sslConnectorTwoWay.setNeedClientAuth(configs.getTwoWaySsl());
 
       //SSL Context Factory
-      SslContextFactory contextFactory = new SslContextFactory(true);
-      contextFactory.setKeyStorePath(keystore);
-      contextFactory.setTrustStore(keystore);
-      contextFactory.setKeyStorePassword(srvrCrtPass);
-      contextFactory.setKeyManagerPassword(srvrCrtPass);
-      contextFactory.setTrustStorePassword(srvrCrtPass);
-      contextFactory.setKeyStoreType("PKCS12");
-      contextFactory.setTrustStoreType("PKCS12");
-      contextFactory.setNeedClientAuth(false);
+      SslContextFactory contextFactoryOneWay = new SslContextFactory(true);
+      contextFactoryOneWay.setKeyStorePath(keystore);
+      contextFactoryOneWay.setTrustStore(keystore);
+      contextFactoryOneWay.setKeyStorePassword(srvrCrtPass);
+      contextFactoryOneWay.setKeyManagerPassword(srvrCrtPass);
+      contextFactoryOneWay.setTrustStorePassword(srvrCrtPass);
+      contextFactoryOneWay.setKeyStoreType("PKCS12");
+      contextFactoryOneWay.setTrustStoreType("PKCS12");
+      contextFactoryOneWay.setNeedClientAuth(false);
+      if (! configs.getSrvrDisabledCiphers().isEmpty()) {
+        String [] masks = configs.getSrvrDisabledCiphers().split(DISABLED_CIPHERS_SPLITTER);
+        contextFactoryOneWay.setExcludeCipherSuites(masks);
+      }
 
       //Secured connector for 1-way auth
-      SslSelectChannelConnector sslConnectorOneWay = new SslSelectChannelConnector(contextFactory);
+      SslSelectChannelConnector sslConnectorOneWay = new SslSelectChannelConnector(contextFactoryOneWay);
       sslConnectorOneWay.setPort(configs.getOneWayAuthPort());
       sslConnectorOneWay.setAcceptors(2);
       sslConnectorTwoWay.setAcceptors(2);
@@ -404,7 +414,13 @@ public class AmbariServer {
 
         String httpsCrtPass = configsMap.get(Configuration.CLIENT_API_SSL_CRT_PASS_KEY);
 
-        SslSelectChannelConnector sapiConnector = new SslSelectChannelConnector();
+        SslContextFactory contextFactoryApi = new SslContextFactory();
+        if (! configs.getSrvrDisabledCiphers().isEmpty()) {
+          String [] masks = configs.getSrvrDisabledCiphers().split(DISABLED_CIPHERS_SPLITTER);
+          contextFactoryApi.setExcludeCipherSuites(masks);
+        }
+
+        SslSelectChannelConnector sapiConnector = new SslSelectChannelConnector(contextFactoryApi);
         sapiConnector.setPort(configs.getClientSSLApiPort());
         sapiConnector.setKeystore(httpsKeystore);
         sapiConnector.setTruststore(httpsKeystore);