Allow for larger Ephemeral DH Keys in Ambari server running on JVM versions 1.8 and above.
This can already be done by manually editing the ambari-env.sh file (/var/lib/ambari-server/ambari-env.sh) and adding the following to the AMBARI_JVM_ARGS environment variable:
The jdk.tls.ephemeralDHKeySize property is only available in Java VM versions 1.8 and above. However it may not be supported in by all Java vendors. Both Oracle and OpenJDK JVM appear to support it.
See https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#customizing_dh_keys for more information.
To help users set this value, Ambari should provide a property in the ambari.properties file. If a supported JVM is in use, Ambari should internally set the System property (before creating the embedded web server) as specified by the user. A possible Ambari property name could be security.server.tls.ephemeral_dh_key_size. If not set, it's default value should be 2048.
To test the Ephemeral DH key size, the OpenSSL s_client utility may be used to query the Ambari server's HTTPS port(s):
openssl s_client -connect `hostname -f`:8441 -cipher "EDH"