diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index f8535e118c..5a450bfd1a 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -1111,6 +1111,9 @@ Release 2.8.0 - UNRELEASED
     HADOOP-12752. Improve diagnostics/use of envvar/sysprop credential
     propagation (Steve Loughran via cnauroth)
 
+    HADOOP-12764. Increase default value of KMX maxHttpHeaderSize and make it
+    configurable. (zhz)
+
   OPTIMIZATIONS
 
     HADOOP-11785. Reduce the number of listStatus operation in distcp
diff --git a/hadoop-common-project/hadoop-common/src/main/bin/hadoop-functions.sh b/hadoop-common-project/hadoop-common/src/main/bin/hadoop-functions.sh
index 453e5bad12..fa52e22690 100755
--- a/hadoop-common-project/hadoop-common/src/main/bin/hadoop-functions.sh
+++ b/hadoop-common-project/hadoop-common/src/main/bin/hadoop-functions.sh
@@ -1221,6 +1221,7 @@ function hadoop_finalize_catalina_opts
   hadoop_add_param CATALINA_OPTS "${prefix}.admin.port" "-D${prefix}.admin.port=${HADOOP_CATALINA_ADMIN_PORT}"
   hadoop_add_param CATALINA_OPTS "${prefix}.http.port" "-D${prefix}.http.port=${HADOOP_CATALINA_HTTP_PORT}"
   hadoop_add_param CATALINA_OPTS "${prefix}.max.threads" "-D${prefix}.max.threads=${HADOOP_CATALINA_MAX_THREADS}"
+  hadoop_add_param CATALINA_OPTS "${prefix}.max.http.header.size" "-D${prefix}.max.http.header.size=${HADOOP_CATALINA_MAX_HTTP_HEADER_SIZE}"
   hadoop_add_param CATALINA_OPTS "${prefix}.ssl.keystore.file" "-D${prefix}.ssl.keystore.file=${HADOOP_CATALINA_SSL_KEYSTORE_FILE}"
 }
 
diff --git a/hadoop-common-project/hadoop-kms/src/main/conf/kms-env.sh b/hadoop-common-project/hadoop-kms/src/main/conf/kms-env.sh
index 41449efa2d..c3bc772b26 100644
--- a/hadoop-common-project/hadoop-kms/src/main/conf/kms-env.sh
+++ b/hadoop-common-project/hadoop-kms/src/main/conf/kms-env.sh
@@ -34,6 +34,10 @@
 #
 # export KMS_MAX_THREADS=1000
 
+# The maximum size of Tomcat HTTP header
+#
+# export KMS_MAX_HTTP_HEADER_SIZE=65536
+
 # The location of the SSL keystore if using SSL
 #
 # export KMS_SSL_KEYSTORE_FILE=${HOME}/.keystore
diff --git a/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh b/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh
index df48889087..c88aa87962 100644
--- a/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh
+++ b/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh
@@ -40,6 +40,7 @@ function hadoop_subproject_init
   export HADOOP_CATALINA_HTTP_PORT="${KMS_HTTP_PORT:-16000}"
   export HADOOP_CATALINA_ADMIN_PORT="${KMS_ADMIN_PORT:-$((HADOOP_CATALINA_HTTP_PORT+1))}"
   export HADOOP_CATALINA_MAX_THREADS="${KMS_MAX_THREADS:-1000}"
+  export HADOOP_CATALINA_MAX_HTTP_HEADER_SIZE="${KMS_MAX_HTTP_HEADER_SIZE:-65536}"
 
   export HADOOP_CATALINA_SSL_KEYSTORE_FILE="${KMS_SSL_KEYSTORE_FILE:-${HOME}/.keystore}"
 
diff --git a/hadoop-common-project/hadoop-kms/src/main/tomcat/server.xml b/hadoop-common-project/hadoop-kms/src/main/tomcat/server.xml
index 516a6a9d0c..d8fd161205 100644
--- a/hadoop-common-project/hadoop-kms/src/main/tomcat/server.xml
+++ b/hadoop-common-project/hadoop-kms/src/main/tomcat/server.xml
@@ -75,7 +75,8 @@
     <Connector port="${kms.http.port}" protocol="HTTP/1.1"
                maxThreads="${kms.max.threads}"
                connectionTimeout="20000"
-               redirectPort="8443"/>
+               redirectPort="8443"
+               maxHttpHeaderSize="${kms.max.http.header.size}"/>
     <!-- A "Connector" using the shared thread pool-->
     <!--
     <Connector executor="tomcatThreadPool"
diff --git a/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf b/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf
index 05b53e06da..01b429c7ae 100644
--- a/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf
+++ b/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf
@@ -70,6 +70,7 @@
          described in the APR documentation -->
     <Connector port="${kms.http.port}" protocol="HTTP/1.1" SSLEnabled="true"
                maxThreads="${kms.max.threads}" scheme="https" secure="true"
+               maxHttpHeaderSize="${kms.max.http.header.size}"
                clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"
                truststorePass="_kms_ssl_truststore_pass_"
                keystoreFile="${kms.ssl.keystore.file}"
diff --git a/hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm b/hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm
index ad4bfca197..f0958be710 100644
--- a/hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm
+++ b/hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm
@@ -120,6 +120,7 @@ The following environment variables (which can be set in KMS's `etc/hadoop/kms-e
 * KMS_HTTP_PORT
 * KMS_ADMIN_PORT
 * KMS_MAX_THREADS
+* KMS_MAX_HTTP_HEADER_SIZE
 * KMS_LOGNOTE: You need to restart the KMS for the configuration changes to take effect.
 
 $H3 Loading native libraries