Reply
Explorer
Posts: 23
Registered: ‎12-08-2016

Issue configuring TLS Leve 1 in RHEL 6.5

Hello, 

 

I have a working CDH 5.9 test cluster. I want to configure level 1 TLS encryption for Cloudera manager using self signed certificate. I used the official guide. 

 

The problem is that Cloudera agent fails to communicate with CM server on 7182. I did import the cetrificate into the truststore, gave proper permisions and pointed the configuration to the truststore file, so I can't figure out what's wrong. If I look at agents log I can also see a "connection refused" errors:

[10/Aug/2017 20:08:39 +0000] 55544 MainThread agent        ERROR    Heartbeating to 172.23.38.125:7182 failed.
Traceback (most recent call last):
  File "/usr/lib64/cmf/agent/build/env/lib/python2.6/site-packages/cmf-5.9.0-py2.6.egg/cmf/agent.py", line 1346, in _send_heartbeat
    self.max_cert_depth)
  File "/usr/lib64/cmf/agent/build/env/lib/python2.6/site-packages/cmf-5.9.0-py2.6.egg/cmf/https.py", line 132, in __init__
    self.conn.connect()
  File "/usr/lib64/cmf/agent/build/env/lib/python2.6/site-packages/M2Crypto-0.21.1-py2.6-linux-x86_64.egg/M2Crypto/httpslib.py", line 50, in connect
    self.sock.connect((self.host, self.port))
  File "/usr/lib64/cmf/agent/build/env/lib/python2.6/site-packages/M2Crypto-0.21.1-py2.6-linux-x86_64.egg/M2Crypto/SSL/Connection.py", line 185, in connect
    ret = self.connect_ssl()
  File "/usr/lib64/cmf/agent/build/env/lib/python2.6/site-packages/M2Crypto-0.21.1-py2.6-linux-x86_64.egg/M2Crypto/SSL/Connection.py", line 178, in connect_ssl
    return m2.ssl_connect(self.ssl)
SSLError: unknown group

What am I doing wrong ? Are self signed certificates really supported ?  I also updated openssl 1.0 to latest version 1.1.

 

Thanks.

Explorer
Posts: 23
Registered: ‎12-08-2016

Re: Issue configuring TLS Leve 1 in RHEL 6.5

[ Edited ]

Hi,

 

I removed all keystore files and recreated but nothing works. I am using JDK 1.8_111 for self signed certificates.

Now, cloudera-scm-agent log says SSLError: unknown protocol. All the machines have FQDN in following format master1.xx.org.in, slave1.xx.org.in. Firewall is off accross machines. 

 

I used fqdn for CN while creating keystore. Followed official guid but still not able make Level 1 TLS work. External HTTPS connections are working fine for web browsers(cloudera-admin UI,Namenode UI). Only internal https communication is not working(cloudera-agent hearbeat with server). 

MainThread agent        ERROR    Heartbeating to 172.23.45.21:7180 failed.
Traceback (most recent call last):
  File "/usr/lib64/cmf/agent/build/env/lib/python2.6/site-packages/cmf-5.9.0-py2.6.egg/cmf/agent.py", line 1346, in _send_heartbeat
    self.max_cert_depth)
  File "/usr/lib64/cmf/agent/build/env/lib/python2.6/site-packages/cmf-5.9.0-py2.6.egg/cmf/https.py", line 132, in __init__
    self.conn.connect()
  File "/usr/lib64/cmf/agent/build/env/lib/python2.6/site-packages/M2Crypto-0.21.1-py2.6-linux-x86_64.egg/M2Crypto/httpslib.py", line 50, in connect
    self.sock.connect((self.host, self.port))
  File "/usr/lib64/cmf/agent/build/env/lib/python2.6/site-packages/M2Crypto-0.21.1-py2.6-linux-x86_64.egg/M2Crypto/SSL/Connection.py", line 185, in connect
    ret = self.connect_ssl()
  File "/usr/lib64/cmf/agent/build/env/lib/python2.6/site-packages/M2Crypto-0.21.1-py2.6-linux-x86_64.egg/M2Crypto/SSL/Connection.py", line 178, in connect_ssl
    return m2.ssl_connect(self.ssl)
SSLError: unknown protocol

 

I also tried configuring TLS for HDFS/YARN but Cloudera agent fail to communicate with Namenode, NodeManagers, DataNode web servers.

 

It would be very helpfull  if someone provide hints to me on this issue.

 

Thanks. 

 

 

Explorer
Posts: 23
Registered: ‎12-08-2016

Re: Issue configuring TLS Leve 1 in RHEL 6.5

MainThread agent        ERROR    Heartbeating to :7180 failed.
Traceback (most recent call last):
  File "/usr/lib64/cmf/agent/build/env/lib/python2.6/site-packages/cmf-5.9.0-py2.6.egg/cmf/agent.py", line 1346, in _send_heartbeat
    self.max_cert_depth)
  File "/usr/lib64/cmf/agent/build/env/lib/python2.6/site-packages/cmf-5.9.0-py2.6.egg/cmf/https.py", line 132, in __init__
    self.conn.connect()
  File "/usr/lib64/cmf/agent/build/env/lib/python2.6/site-packages/M2Crypto-0.21.1-py2.6-linux-x86_64.egg/M2Crypto/httpslib.py", line 50, in connect
    self.sock.connect((self.host, self.port))
  File "/usr/lib64/cmf/agent/build/env/lib/python2.6/site-packages/M2Crypto-0.21.1-py2.6-linux-x86_64.egg/M2Crypto/SSL/Connection.py", line 185, in connect
    ret = self.connect_ssl()
  File "/usr/lib64/cmf/agent/build/env/lib/python2.6/site-packages/M2Crypto-0.21.1-py2.6-linux-x86_64.egg/M2Crypto/SSL/Connection.py", line 178, in connect_ssl
    return m2.ssl_connect(self.ssl)
SSLError: unknown protocol
Explorer
Posts: 23
Registered: ‎12-08-2016

Re: Issue configuring TLS Leve 1 in RHEL 6.5

Hi,

TLS is successful on all Hadoop Components including Hdfs and Yarn.

Updated openssl to 1.1 and Java to 1.8_111.

Thanks.
Announcements