Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Complex TLS Encryption Processes on the Cloudera Documentation

avatar
New Contributor

Dear All;

 

When we start to Cloudera Management Service, there is an error occured. The errors are the same for Reports Manager, Service Monitor, Event Server, Activity Monitor, Host Monitor etc.

 

Here is the error:

 

"Exception in thread "main" java.io.IOException: Keystore was tampered with, or password was incorrect at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:772) at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55) at java.security.KeyStore.load(KeyStore.java:1226) at com.cloudera.enterprise.ssl.ReloadingX509TrustManager.loadTrustManager(ReloadingX509TrustManager.java:168) at com.cloudera.enterprise.ssl.ReloadingX509TrustManager.<init>(ReloadingX509TrustManager.java:83) at com.cloudera.enterprise.ssl.FileBasedKeyStoresFactory.init(FileBasedKeyStoresFactory.java:208) at com.cloudera.enterprise.ssl.SSLFactory.init(SSLFactory.java:110) at com.cloudera.enterprise.ssl.SSLFactory.getHttpConnectionConfigurator(SSLFactory.java:267) at com.cloudera.cmon.firehose.Main.main(Main.java:359) Caused by: java.security.UnrecoverableKeyException: Password verification failed at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:770) ... 8 more"

 

 

I know the message show me that keystore password is incorrect. However, When I change the password on the Cloudera Manager Config Interface the same error is appeared at the top of page. According to this situation the first password is correct. But I cannot start Cloudera Management Service.

 

Can anybody help to me?

 

Thank you 

 

Tayfun

2 REPLIES 2

avatar
Cloudera Employee

Hello Tayfun,

 

The keystore password is wrong.

Manually test the password by printing out the keystore certificates using the following CLI command:

 

keytool -list -v -keystore <keystore.jks>

 

If this fails, you know the password is wrong.

 

If you want to change the keystore password, use the following command:

 

keytool -storepasswd -keytool <keystore.jks>

 

Tip and Example:

If keytool is not in your PATH you will need to type out the whole path.

Here's an example I used on our test cluster:

 

/usr/java/jdk1.7.0_67/bin/keytool -list -v -keystore /etc/cdep-ssl-conf/CA_STANDARD/truststore.jks

avatar
Master Guru

Hi @VFTR,

 

Since the issue you are having is that the services cannot access the truststore specified that the Management Service roles use to trust the signer of Cloudera Manager's certificate, Make sure you are changing the right password.

 

Cloudera Manager --> Clusters --> Cloudera Management Service --> Configuration

Search for Cloudera Manager Server TLS/SSL Certificate Trust Store Password

 

If you can't figure out the password, it is also OK to leave the password field blank.  If the password is specified, it is required to be correct, but the services don't need to know the password to get what they need from the file.

 

Click the blue arrow next to Cloudera Manager Server TLS/SSL Certificate Trust Store Password to revert to the default 'null' value.  Save and restart the Management Service.

 

-Ben