HADOOP-14083. KMS should support old SSL clients. (John Zhuge via Lei Xu)

hadoop-common-project/hadoop-kms/pom.xml

@@ -394,6 +394,9 @@
                     <delete dir="${project.build.directory}/tomcat.exp"/>
                     <delete dir="${kms.tomcat.dist.dir}/webapps"/>
                     <mkdir dir="${kms.tomcat.dist.dir}/webapps"/>
+                    <delete file="${kms.tomcat.dist.dir}/conf/catalina-default.properties"/>
+                    <copy file="${basedir}/src/main/tomcat/catalina-default.properties"
+                          toDir="${kms.tomcat.dist.dir}/conf"/>
                     <delete file="${kms.tomcat.dist.dir}/conf/server.xml"/>
                     <copy file="${basedir}/src/main/tomcat/server.xml"
                           toDir="${kms.tomcat.dist.dir}/conf"/>

hadoop-common-project/hadoop-kms/src/main/conf/kms-env.sh

@@ -66,6 +66,10 @@
 #
 # export KMS_MAX_HTTP_HEADER_SIZE=65536
 
+# The comma separated list of encryption ciphers for SSL
+#
+# export KMS_SSL_CIPHERS=
+
 # The location of the SSL keystore if using SSL
 #
 # export KMS_SSL_KEYSTORE_FILE=${HOME}/.keystore

hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh

@@ -56,7 +56,10 @@ print "Setting KMS_HOME:          ${KMS_HOME}"
 if [ -e "${KMS_HOME}/bin/kms-env.sh" ]; then
   print "Sourcing:                    ${KMS_HOME}/bin/kms-env.sh"
   source ${KMS_HOME}/bin/kms-env.sh
-  grep "^ *export " ${KMS_HOME}/bin/kms-env.sh | sed 's/ *export/  setting/'
+  if [ "${KMS_SILENT}" != "true" ]; then
+    grep "^ *export " "${KMS_HOME}/bin/kms-env.sh" |
+      sed 's/ *export/  setting/'
+  fi
 fi
 
 # verify that the sourced env file didn't change KMS_HOME
@@ -81,7 +84,10 @@ kms_config=${KMS_CONFIG}
 if [ -e "${KMS_CONFIG}/kms-env.sh" ]; then
   print "Sourcing:                    ${KMS_CONFIG}/kms-env.sh"
   source ${KMS_CONFIG}/kms-env.sh
-  grep "^ *export " ${KMS_CONFIG}/kms-env.sh | sed 's/ *export/  setting/'
+  if [ "${KMS_SILENT}" != "true" ]; then
+    grep "^ *export " "${KMS_CONFIG}/kms-env.sh" |
+      sed 's/ *export/  setting/'
+  fi
 fi
 
 # verify that the sourced env file didn't change KMS_HOME
@@ -171,6 +177,31 @@ else
   print "Using   KMS_MAX_HTTP_HEADER_SIZE:     ${KMS_MAX_HTTP_HEADER_SIZE}"
 fi
 
+if [ "${KMS_SSL_CIPHERS}" = "" ]; then
+  export KMS_SSL_CIPHERS="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
+  KMS_SSL_CIPHERS+=",TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+  KMS_SSL_CIPHERS+=",TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
+  KMS_SSL_CIPHERS+=",TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
+  KMS_SSL_CIPHERS+=",TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384"
+  KMS_SSL_CIPHERS+=",TLS_ECDH_RSA_WITH_AES_256_CBC_SHA"
+  KMS_SSL_CIPHERS+=",TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256"
+  KMS_SSL_CIPHERS+=",TLS_ECDH_RSA_WITH_AES_128_CBC_SHA"
+  KMS_SSL_CIPHERS+=",TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA"
+  KMS_SSL_CIPHERS+=",TLS_RSA_WITH_AES_256_CBC_SHA256"
+  KMS_SSL_CIPHERS+=",TLS_RSA_WITH_AES_256_CBC_SHA"
+  KMS_SSL_CIPHERS+=",TLS_RSA_WITH_AES_128_CBC_SHA256"
+  KMS_SSL_CIPHERS+=",TLS_RSA_WITH_AES_128_CBC_SHA"
+  KMS_SSL_CIPHERS+=",TLS_RSA_WITH_3DES_EDE_CBC_SHA"
+  KMS_SSL_CIPHERS+=",TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"
+  KMS_SSL_CIPHERS+=",TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
+  KMS_SSL_CIPHERS+=",TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"
+  KMS_SSL_CIPHERS+=",TLS_DHE_RSA_WITH_AES_128_CBC_SHA"
+  KMS_SSL_CIPHERS+=",TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA"
+  print "Setting KMS_SSL_CIPHERS:           ${KMS_SSL_CIPHERS}"
+else
+  print "Using   KMS_SSL_CIPHERS:           ${KMS_SSL_CIPHERS}"
+fi
+
 if [ "${KMS_SSL_KEYSTORE_FILE}" = "" ]; then
   export KMS_SSL_KEYSTORE_FILE=${HOME}/.keystore
   print "Setting KMS_SSL_KEYSTORE_FILE:     ${KMS_SSL_KEYSTORE_FILE}"

hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh

@@ -59,18 +59,6 @@ CATALINA_OPTS_DISP=`echo ${CATALINA_OPTS} | sed -e 's/trustStorePassword=[^ ]*/t
 print "Using   CATALINA_OPTS:       ${CATALINA_OPTS_DISP}"
 
 catalina_opts="-Dproc_kms"
-catalina_opts="${catalina_opts} -Dkms.home.dir=${KMS_HOME}";
-catalina_opts="${catalina_opts} -Dkms.config.dir=${KMS_CONFIG}";
-catalina_opts="${catalina_opts} -Dkms.log.dir=${KMS_LOG}";
-catalina_opts="${catalina_opts} -Dkms.temp.dir=${KMS_TEMP}";
-catalina_opts="${catalina_opts} -Dkms.admin.port=${KMS_ADMIN_PORT}";
-catalina_opts="${catalina_opts} -Dkms.http.port=${KMS_HTTP_PORT}";
-catalina_opts="${catalina_opts} -Dkms.protocol=${KMS_PROTOCOL}";
-catalina_opts="${catalina_opts} -Dkms.max.threads=${KMS_MAX_THREADS}";
-catalina_opts="${catalina_opts} -Dkms.accept.count=${KMS_ACCEPT_COUNT}";
-catalina_opts="${catalina_opts} -Dkms.acceptor.thread.count=${KMS_ACCEPTOR_THREAD_COUNT}";
-catalina_opts="${catalina_opts} -Dkms.max.http.header.size=${KMS_MAX_HTTP_HEADER_SIZE}";
-catalina_opts="${catalina_opts} -Dkms.ssl.keystore.file=${KMS_SSL_KEYSTORE_FILE}";
 catalina_opts="${catalina_opts} -Djava.library.path=${JAVA_LIBRARY_PATH}";
 
 print "Adding to CATALINA_OPTS:     ${catalina_opts}"
@@ -78,6 +66,39 @@ print "Found KMS_SSL_KEYSTORE_PASS:     `echo ${KMS_SSL_KEYSTORE_PASS} | sed 's/
 
 export CATALINA_OPTS="${CATALINA_OPTS} ${catalina_opts}"
 
+catalina_init_properties() {
+  cp "${CATALINA_BASE}/conf/catalina-default.properties" \
+    "${CATALINA_BASE}/conf/catalina.properties"
+}
+
+catalina_set_property() {
+  local key=$1
+  local value=$2
+  [[ -z "${value}" ]] && return
+  local disp_value="${3:-${value}}"
+  print "Setting catalina property ${key} to ${disp_value}"
+  echo "${key}=${value}" >> "${CATALINA_BASE}/conf/catalina.properties"
+}
+
+if [[ "${1}" = "start" || "${1}" = "run" ]]; then
+  catalina_init_properties
+  catalina_set_property "kms.home.dir" "${KMS_HOME}"
+  catalina_set_property "kms.config.dir" "${KMS_CONFIG}"
+  catalina_set_property "kms.log.dir" "${KMS_LOG}"
+  catalina_set_property "kms.temp.dir" "${KMS_TEMP}"
+  catalina_set_property "kms.admin.port" "${KMS_ADMIN_PORT}"
+  catalina_set_property "kms.http.port" "${KMS_HTTP_PORT}"
+  catalina_set_property "kms.protocol" "${KMS_PROTOCOL}"
+  catalina_set_property "kms.max.threads" "${KMS_MAX_THREADS}"
+  catalina_set_property "kms.accept.count" "${KMS_ACCEPT_COUNT}"
+  catalina_set_property "kms.acceptor.thread.count" \
+    "${KMS_ACCEPTOR_THREAD_COUNT}"
+  catalina_set_property "kms.max.http.header.size" \
+    "${KMS_MAX_HTTP_HEADER_SIZE}"
+  catalina_set_property "kms.ssl.ciphers" "${KMS_SSL_CIPHERS}"
+  catalina_set_property "kms.ssl.keystore.file" "${KMS_SSL_KEYSTORE_FILE}"
+fi
+
 # A bug in catalina.sh script does not use CATALINA_OPTS for stopping the server
 #
 if [ "${1}" = "stop" ]; then
@@ -95,4 +116,8 @@ if [ ! "${KMS_SSL_KEYSTORE_PASS}" = "" ] || [ ! "${KMS_SSL_TRUSTSTORE_PASS}" = "
     | sed 's/"_kms_ssl_truststore_pass_"/'"\"${KMS_SSL_TRUSTSTORE_PASS_ESCAPED}\""'/g' > ${CATALINA_BASE}/conf/ssl-server.xml
 fi 
 
-exec ${KMS_CATALINA_HOME}/bin/catalina.sh "$@"
+if [ "${KMS_SILENT}" != "true" ]; then
+  exec "${KMS_CATALINA_HOME}/bin/catalina.sh" "$@"
+else
+  exec "${KMS_CATALINA_HOME}/bin/catalina.sh" "$@" > /dev/null
+fi

hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf

@@ -74,6 +74,7 @@
                acceptorThreadCount="${kms.acceptor.thread.count}"
                maxHttpHeaderSize="${kms.max.http.header.size}"
                clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"
+               ciphers="${kms.ssl.ciphers}"
                truststorePass="_kms_ssl_truststore_pass_"
                keystoreFile="${kms.ssl.keystore.file}"
                keystorePass="_kms_ssl_keystore_pass_"/>

hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm

@@ -301,7 +301,11 @@ The answer to "What is your first and last name?" (i.e. "CN") must be the hostna
 
 NOTE: You need to restart the KMS for the configuration changes to take effect.
 
-NOTE: Some old SSL clients may use weak ciphers that are not supported by the KMS server. It is recommended to upgrade the SSL client.
+In order to support some old SSL clients, the default encryption ciphers
+include a few relatively weaker ciphers. Set environment variable
+`KMS_SSL_CIPHERS` or property `kms.ssl.ciphers` to override. The value is a
+comma separated list of ciphers documented in this
+[Tomcat Wiki](https://wiki.apache.org/tomcat/Security/Ciphers).
 
 $H4 ACLs (Access Control Lists)