Reply
New Contributor
Posts: 3
Registered: ‎04-07-2017

Invalid TLS keystore config. Starting server without TLS

Hello.

I have Cloudera Hadoop 5.7.5, configuring SSL access to Cloudera Admin Console using self signed certificates according to intructions in:

https://united.softserveinc.com/blogs/tls-encryption-cloudera-manager.

 

 

After restarting cloudera manager server SSL does'n work and have this error in server log:

"2017-04-07 11:21:13,251 ERROR MainThread:com.cloudera.server.cmf.WebServerImpl: Invalid TLS keystore config. Starting server without TLS."

 

Below the used commands:

keytool -genkeypair -keystore lvpal1525.keystore -keyalg RSA -alias lvpal1525 -dname "CN=lvpal1525.pal.sap.corp" -storepass Abcd1234 -keypass Abcd1234 -validity 365

 

cp $JAVA_HOME/jre/lib/security/cacerts $JAVA_HOME/jre/lib/security/jssecacerts

 

keytool -export -alias lvpal1525 -keystore lvpal1525.keystore -rfc -file selfsigned.cer -storepass Abcd1234

 

cp selfsigned.cer /opt/cloudera/security/x509/lvpal1525.pem


chown cloudera-scm:cloudera-scm /opt/cloudera/security/x509/lvpal1525.pem

 

keytool -import -alias lvpal1525 -file /opt/cloudera/security/jks/selfsigned.cer -keystore $JAVA_HOME/jre/lib/security/jssecacerts -storepass changeit

 

Then in worker nodes:

 

keytool -import -alias lvpal1525 -file /tmp/selfsigned.cer -keystore $JAVA_HOME/jre/lib/security/jssecacerts -storepass changeit

 

Then changed the security settings in Cloudera Manager to reflect Keystore location and password, as well as the flag for use TLS for Admin Console.

 

Any help will be appreciated.

 

 

 

 

Posts: 332
Topics: 0
Kudos: 34
Solutions: 26
Registered: ‎08-16-2016

Re: Invalid TLS keystore config. Starting server without TLS

Can you post a screenshot of the CM TLS configs? It will just be a guessing game until then.

Nothing looks off in the commands. It is complaining about the keystore. Do you have lvpal1525.keystore set as the Keystore and jssecacerts set as the truststore?

What are the permissions for each? The keystore should be 0440 and the truststore 0444.
New Contributor
Posts: 3
Registered: ‎04-07-2017

Re: Invalid TLS keystore config. Starting server without TLS

Hi Master.

 

Thanks for takeing a look on this.  Yes, lvpal1525 is keystore and jssecacerts is truststore. Here the configuration:

SSL_Error_msg.pngCloudera_SSL_conf.pngKeystore_Permissions.pngTruststore_permissions.png

 

 

 

Posts: 332
Topics: 0
Kudos: 34
Solutions: 26
Registered: ‎08-16-2016

Re: Invalid TLS keystore config. Starting server without TLS

it is hard to see but it seems that you are setting lvapal1525-keystore.jks but the file is actually lvpal1525.keystore.jks. It maybe a permissions issue if that name is correct. My Cloudera server is running all CM processes as root not cloudera-scm. Change the ownership if that is the case for you.
New Contributor
Posts: 3
Registered: ‎04-07-2017

Re: Invalid TLS keystore config. Starting server without TLS

Thanks Master.

 

After correcting and applying recommendations i'm going forward nexts steps.

 

Best regards

Announcements