Reply
Explorer
Posts: 23
Registered: ‎12-08-2016

Issue configuring TLS Leve 1 in RHEL 6.5

Hello, 

 

I have a working CDH 5.9 test cluster. I want to configure level 1 TLS encryption for Cloudera manager using self signed certificate. I used the official guide. 

 

The problem is that Cloudera agent fails to communicate with CM server on 7182. I did import the cetrificate into the truststore, gave proper permisions and pointed the configuration to the truststore file, so I can't figure out what's wrong. If I look at agents log I can also see a "connection refused" errors:

[10/Aug/2017 20:08:39 +0000] 55544 MainThread agent        ERROR    Heartbeating to 172.23.38.125:7182 failed.
Traceback (most recent call last):
  File "/usr/lib64/cmf/agent/build/env/lib/python2.6/site-packages/cmf-5.9.0-py2.6.egg/cmf/agent.py", line 1346, in _send_heartbeat
    self.max_cert_depth)
  File "/usr/lib64/cmf/agent/build/env/lib/python2.6/site-packages/cmf-5.9.0-py2.6.egg/cmf/https.py", line 132, in __init__
    self.conn.connect()
  File "/usr/lib64/cmf/agent/build/env/lib/python2.6/site-packages/M2Crypto-0.21.1-py2.6-linux-x86_64.egg/M2Crypto/httpslib.py", line 50, in connect
    self.sock.connect((self.host, self.port))
  File "/usr/lib64/cmf/agent/build/env/lib/python2.6/site-packages/M2Crypto-0.21.1-py2.6-linux-x86_64.egg/M2Crypto/SSL/Connection.py", line 185, in connect
    ret = self.connect_ssl()
  File "/usr/lib64/cmf/agent/build/env/lib/python2.6/site-packages/M2Crypto-0.21.1-py2.6-linux-x86_64.egg/M2Crypto/SSL/Connection.py", line 178, in connect_ssl
    return m2.ssl_connect(self.ssl)
SSLError: unknown group

What am I doing wrong ? Are self signed certificates really supported ?  I also updated openssl 1.0 to latest version 1.1.

 

Thanks.

Explorer
Posts: 23
Registered: ‎12-08-2016

Re: Issue configuring TLS Leve 1 in RHEL 6.5

[ Edited ]

Hi,

 

I removed all keystore files and recreated but nothing works. I am using JDK 1.8_111 for self signed certificates.

Now, cloudera-scm-agent log says SSLError: unknown protocol. All the machines have FQDN in following format master1.xx.org.in, slave1.xx.org.in. Firewall is off accross machines. 

 

I used fqdn for CN while creating keystore. Followed official guid but still not able make Level 1 TLS work. External HTTPS connections are working fine for web browsers(cloudera-admin UI,Namenode UI). Only internal https communication is not working(cloudera-agent hearbeat with server). 

MainThread agent        ERROR    Heartbeating to 172.23.45.21:7180 failed.
Traceback (most recent call last):
  File "/usr/lib64/cmf/agent/build/env/lib/python2.6/site-packages/cmf-5.9.0-py2.6.egg/cmf/agent.py", line 1346, in _send_heartbeat
    self.max_cert_depth)
  File "/usr/lib64/cmf/agent/build/env/lib/python2.6/site-packages/cmf-5.9.0-py2.6.egg/cmf/https.py", line 132, in __init__
    self.conn.connect()
  File "/usr/lib64/cmf/agent/build/env/lib/python2.6/site-packages/M2Crypto-0.21.1-py2.6-linux-x86_64.egg/M2Crypto/httpslib.py", line 50, in connect
    self.sock.connect((self.host, self.port))
  File "/usr/lib64/cmf/agent/build/env/lib/python2.6/site-packages/M2Crypto-0.21.1-py2.6-linux-x86_64.egg/M2Crypto/SSL/Connection.py", line 185, in connect
    ret = self.connect_ssl()
  File "/usr/lib64/cmf/agent/build/env/lib/python2.6/site-packages/M2Crypto-0.21.1-py2.6-linux-x86_64.egg/M2Crypto/SSL/Connection.py", line 178, in connect_ssl
    return m2.ssl_connect(self.ssl)
SSLError: unknown protocol

 

I also tried configuring TLS for HDFS/YARN but Cloudera agent fail to communicate with Namenode, NodeManagers, DataNode web servers.

 

It would be very helpfull  if someone provide hints to me on this issue.

 

Thanks. 

 

 

Highlighted
Explorer
Posts: 23
Registered: ‎12-08-2016

Re: Issue configuring TLS Leve 1 in RHEL 6.5

MainThread agent        ERROR    Heartbeating to :7180 failed.
Traceback (most recent call last):
  File "/usr/lib64/cmf/agent/build/env/lib/python2.6/site-packages/cmf-5.9.0-py2.6.egg/cmf/agent.py", line 1346, in _send_heartbeat
    self.max_cert_depth)
  File "/usr/lib64/cmf/agent/build/env/lib/python2.6/site-packages/cmf-5.9.0-py2.6.egg/cmf/https.py", line 132, in __init__
    self.conn.connect()
  File "/usr/lib64/cmf/agent/build/env/lib/python2.6/site-packages/M2Crypto-0.21.1-py2.6-linux-x86_64.egg/M2Crypto/httpslib.py", line 50, in connect
    self.sock.connect((self.host, self.port))
  File "/usr/lib64/cmf/agent/build/env/lib/python2.6/site-packages/M2Crypto-0.21.1-py2.6-linux-x86_64.egg/M2Crypto/SSL/Connection.py", line 185, in connect
    ret = self.connect_ssl()
  File "/usr/lib64/cmf/agent/build/env/lib/python2.6/site-packages/M2Crypto-0.21.1-py2.6-linux-x86_64.egg/M2Crypto/SSL/Connection.py", line 178, in connect_ssl
    return m2.ssl_connect(self.ssl)
SSLError: unknown protocol
Explorer
Posts: 23
Registered: ‎12-08-2016

Re: Issue configuring TLS Leve 1 in RHEL 6.5

Hi,

TLS is successful on all Hadoop Components including Hdfs and Yarn.

Updated openssl to 1.1 and Java to 1.8_111.

Thanks.
Announcements