1577372 – Ambari not working due by recent changes in jdk security policies (TLSv1 disabled)

Bug 1577372 - Ambari not working due by recent changes in jdk security policies (TLSv1 disabled)

Summary: Ambari not working due by recent changes in jdk security policies (TLSv1 disa...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-sahara
Sub Component:
Version:	13.0 (Queens)
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	13.0 (Queens)
Assignee:	Telles Nobrega
QA Contact:	Luigi Toscano
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1502848
TreeView+	depends on / blocked

Reported:	2018-05-11 20:14 UTC by Luigi Toscano
Modified:	2018-06-27 13:57 UTC (History)
CC List:	4 users (show)
Fixed In Version:	openstack-sahara-8.0.1-0.20180328233740.36531cb.el7ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-06-27 13:56:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack Storyboard	2002012	None	None	None	2018-05-11 20:14:28 UTC
OpenStack gerrit	567958	None	stable/queens: MERGED	sahara: Restore Ambari with newer JDK security policies (I3782ce9acb8c895e4e1f3fb9046b54f2a57acdbf)	2018-05-14 15:46:16 UTC
Red Hat Bugzilla	1577373	high	CLOSED	Ambari not working due by recent changes in jdk security policies (TLSv1 disabled) (legacy image building process)	2021-02-22 00:41:40 UTC
Red Hat Product Errata	RHEA-2018:2086	None	None	None	2018-06-27 13:57:37 UTC

Internal Links: 1577373

Description Luigi Toscano 2018-05-11 20:14:28 UTC

Description of problem:


Apparently a very recent change in jdk policies disabled TLSv1, which is used by default by Ambari agents to communicate with the Ambari server.
This means that the Ambari plugins is not working anymore. Recent change because it was working until (at least) the end of April 2018, and one of the document describing the issue was published on May 3th.

After some digging, its seems that this issue is fixed or at least can be workarounded only from Ambari 2.4.3.0 or >=2.5. More details in this ticket: https://issues.apache.org/jira/browse/AMBARI-17666

This is the relevant commit: https://github.com/apache/ambari/commit/b9de1383cd714ccc132e84abb80e8760d75a573e

The important document from Hortonworks describing the issue is: https://community.hortonworks.com/articles/188269/javapython-updates-and-ambari-agent-tls-settings.html

In addition to the patch, the agents should be configured to use a newer version of TLS. This means changing /etc/ambari-agent/conf/ambari-agent.ini on the images and adding a new key in the [security] section:

[security]
force_https_protocol=PROTOCOL_TLSv1_2

This means the the Ambari images can be fixed only upgrading to 2.4.3.0; that means sahara-image-pack can be used without problems; sahara-image-elements defaults to older versions for older versions of HDP for historical reasons, even if 2.4 could be used too even for HDP 2.4 and HDP 2.3, but it may require more time.


Version-Release number of selected component (if applicable):
All versions of Sahara.

Comment 4 Luigi Toscano 2018-05-17 16:40:37 UTC

The fix which bumps the version of TLS used by ambari-agent to 1.2 is available. In an image generated by sahara-image-pack, the Ambari agents can talk to ambari-server, thus allowing the creation of the cluster.

Verified with (source package):
openstack-sahara-8.0.1-0.20180328233740.36531cb.el7ost

Comment 7 errata-xmlrpc 2018-06-27 13:56:23 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086

Note You need to log in before you can comment on or make changes to this bug.