Reply
Explorer
Posts: 6
Registered: ‎05-04-2016

Enabling/Establishing a secure (https) connection between all services in our cluster.

We are looking for enabling/establishing a secure (https) connection between all services in the Cluster – Cloudera distribution (5.8.0). We have generated keys/Certificates (Keystore/TrustStore) files & incorporated all the property setting modifications in the xml files. Also, we have enabled all firewall ports for accessing (50470/50475)  NN/DN. We have configured sslserver.xml & sslclient.xml with relevant changes. Once we try to access namenodeweb UI through https:hostname:50470 we get the following error output SITE CANNOT BE OPENED BECAUSE ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Explorer
Posts: 6
Registered: ‎05-04-2016

Re: Enabling/Establishing a secure (https) connection between all services in our cluster.

This is our cipher list ssl.server.exclude.cipher.list TLS_ECDHE_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5
Posts: 437
Topics: 1
Kudos: 102
Solutions: 54
Registered: ‎04-22-2014

Re: Enabling/Establishing a secure (https) connection between all services in our cluster.

Hi,

 

Sounds like you your browser and server may not have any ciphers available for communication.  You might try using tcpdump/wireshark to observe the TLS handshake.  You should also consider testing at the command line with "openssl s_client -connect <fqdn>:<port> to see more information about the handshake.

 

Of concern, as well, is how the certificates were created.  What commands did you use?

What instructions were you following?  The steps you hinted at don't sound familar for enabling TLS in CDH via Cloudera Manager, so we should verify what you have done so far and what documentation you used.

 

Regards,

 

Ben

 

 

 

 

Explorer
Posts: 6
Registered: ‎05-04-2016

Re: Enabling/Establishing a secure (https) connection between all services in our cluster.

We have referred several docs to execute this https connection Step 2: Generate Key & Certificates in all the nodes using the below commands Step 2.1: Create Key (Keystore) on each nodes: keytool -keystore /opt/cloudera/security/jks/keystore.jks -alias -validity 1095 -genkey Step 2.2: Generate CA (Certificate Authority) to trust the Client's truststore openssl req -new -x509 -keyout /opt/cloudera/security/x509/ca-key -out /opt/cloudera/security/x509/ca-cert -days 730  old one openssl req -x509 -sha256 -nodes -days 730 -newkey rsa:2048 -keyout /opt/cloudera/security/x509/ca-key.key -out /opt/cloudera/security/x509/ca-cert.crt  new one to create 2048 bytes of RSA Step 2.3: Add generated CA to the Client's truststore (this CA can be used only once & share the same in all the nodes) keytool -keystore /opt/cloudera/security/jks/jssecacerts -alias CARoot -import -file /opt/cloudera/security/x509/ca-cert.crt Step 2.4: Export CA Certs from the generated keystore keytool -keystore /opt/cloudera/security/jks/keystore.jks -alias adgthhdnpl08.aws.dnb.com -certreq -file /opt/cloudera/security/CAcerts/cert-file Step 2.5: Sign the Certificates after adding the generated CA openssl x509 -req -CA /opt/cloudera/security/x509/ca-cert.crt -CAkey /opt/cloudera/security/x509/ca-key.key -in /opt/cloudera/security/CAcerts/cert-file -out /opt/cloudera/security/CAcerts/cert-signed -days 730 -CAcreateserial -passin pass:cert123 Step 2.6: Import CA cert and signed Cert on each node. keytool -keystore /opt/cloudera/security/jks/keystore.jks -alias CARoot1 -import -file /opt/cloudera/security/x509/ca-cert.crt keytool -keystore /opt/cloudera/security/jks/keystore.jks -alias -import -file /opt/cloudera/security/CAcerts/cert-signed Step 3: Update ssl-client/ssl-server properties for updating keystore location & password via CM Step 4: Update “dfs.http.policy" property in hdfs-site.xml file in all the nodes Step 5: Restart the Cluster Step 6: Access: https:ip:50470 This is the steps followed please suggest a appropriate cloudera docs to follow
Posts: 437
Topics: 1
Kudos: 102
Solutions: 54
Registered: ‎04-22-2014

Re: Enabling/Establishing a secure (https) connection between all services in our cluster.

Hi,

 

I think the problem here could have been in the very first command:

keytool -keystore /opt/cloudera/security/jks/keystore.jks -alias -validity 1095 -genkey

 

First, I'd try using another browser (Firefox, Safari, etc.) to see if they have the same problem as I think you are using Chrome.

I would consider trying with the following as it works:

 

keytool -genkeypair -keystore node1.keystore -alias node1 \
-dname "CN=node1.example.com,O=Hadoop" -keyalg RSA \
-keysize 2048 -storepass changeme -keypass changeme

 

You need to alter the "dname" to reflect your fqdn for the host.  

 

The documentation here will work:

https://www.cloudera.com/documentation/enterprise/latest/topics/cm_sg_create_deploy_certs.html#xd_58...

 

I'm guessing that the browser is possibly not fond of DSA, but I'm not sure... haven't tested with DSA.

Regards,

 

Ben

 

 

Explorer
Posts: 6
Registered: ‎05-04-2016

Re: Enabling/Establishing a secure (https) connection between all services in our cluster.

We have planned to purchase wildcard ssl certificate from digicert. What you guys would recommend us.
New Contributor
Posts: 5
Registered: ‎11-12-2017

Re: Enabling/Establishing a secure (https) connection between all services in our cluster.

 Hi , 

 

I am trying to connect salesforce soap api from cloudera cluster which is https weblink can you please help me out ,I am getting error while tryting to connect using spark (https://github.com/springml/spark-salesforce)  I am able to connect from my laptop also I am able to ping from edge node.

 

Error:-

Exception while creating connection com.sforce.ws.ConnectionException: Failed to send request to

 

This Works:-  

export http_proxy=http://${ipaddress}:${port}
export no_proxy="localhost,127.0.0.0/8,ipadress/port,::1"
curl http://somesalefroce.com/services/Soap/u/35.0

 

this doesnt work:-

export HADOOP_CONF_DIR=/etc/hadoop/conf
export HADOOP_HOME=/opt/cloudera/parcels/CDH-5.9.2-1.cdh5.9.2.p0.3
export HADOOP_MAPRED_HOME=/opt/cloudera/parcels/CDH-5.9.2-1.cdh5.9.2.p0.3/lib/hadoop-0.20-mapreduce
spark-submit --class SalesForceTest3 --master local --num-executors 3 --driver-memory 512m --executor-memory 512m --executor-cores 1 /AZ/bin/myjar-1.0-SNAPSHOT-jar-with-dependencies.jar "http://test.salesforce.com/services/Soap/u/35.0" "yarn-client" "/usr/java/jdk1.7.0_67-cloudera/jre/lib/security/jssecacerts" "/usr/java/jdk1.7.0_67-cloudera/jre/lib/security/cacerts"

 

 

Thanks

Sri 

 

 

Announcements