question New LDAP configuration failing with &quot;SSLHandshakeException: Received fatal alert: handshake_failure&quot; in Support Questions https://community.cloudera.com/t5/Support-Questions/New-LDAP-configuration-failing-with-quot/m-p/327140#M229982 <P>We need to update our LDAP configuration because our certificate is going to expire; we have a test ldaps server set up with the new certificate.&nbsp; From within CDH-&gt;Administration-&gt;Settings, I pointed the "<SPAN>LDAP URL" to the new server.</SPAN></P><P>&nbsp;</P><LI-CODE lang="markup">simple bind failed: ldapsdev.{obscured domain}:3269; nested exception is javax.naming.CommunicationException: simple bind failed: ldapsdev.{obscureddomain}:3269 [Root exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure]</LI-CODE><P>&nbsp;</P><P>&nbsp;Under the assumption that a cert needed to be added, I tried to figure out how, but could find zero documentation other than this:<BR /><A href="https://community.cloudera.com/t5/Community-Articles/Steps-to-setup-Atlas-with-Ldaps-SSL/ta-p/247365" target="_blank" rel="noopener">https://community.cloudera.com/t5/Community-Articles/Steps-to-setup-Atlas-with-Ldaps-SSL/ta-p/247365</A></P><P>That relates to Atlas, which we don't use, but seemed right.&nbsp; I downloaded "ldapsdev-ca.crt" from the ldaps server:</P><P>&nbsp;</P><LI-CODE lang="markup">echo -n | openssl s_client -connect ldapsdev.{obscureddomain}:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' &gt; ldapsdev-ca.crt</LI-CODE><P>&nbsp;</P><P>And then imported it into&nbsp;/usr/java/jdk1.7.0_67-cloudera/jre/lib/security/cacerts.&nbsp; When I do a keytool -list on that, I see it in there.&nbsp; I then restarted cloudera-scm-server, but I still get the same error.</P><P>Was that not the right cacerts file?&nbsp; There are others in various subdirs under /etc/pki I could try to add to, but it'd be nice to know for sure which file Cloudera Server is trying to use.&nbsp; Thanks!!!</P> Fri, 16 Sep 2022 14:43:55 GMT MattHearnCSC 2022-09-16T14:43:55Z New LDAP configuration failing with "SSLHandshakeException: Received fatal alert: handshake_failure" https://community.cloudera.com/t5/Support-Questions/New-LDAP-configuration-failing-with-quot/m-p/327140#M229982 <P>We need to update our LDAP configuration because our certificate is going to expire; we have a test ldaps server set up with the new certificate.&nbsp; From within CDH-&gt;Administration-&gt;Settings, I pointed the "<SPAN>LDAP URL" to the new server.</SPAN></P><P>&nbsp;</P><LI-CODE lang="markup">simple bind failed: ldapsdev.{obscured domain}:3269; nested exception is javax.naming.CommunicationException: simple bind failed: ldapsdev.{obscureddomain}:3269 [Root exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure]</LI-CODE><P>&nbsp;</P><P>&nbsp;Under the assumption that a cert needed to be added, I tried to figure out how, but could find zero documentation other than this:<BR /><A href="https://community.cloudera.com/t5/Community-Articles/Steps-to-setup-Atlas-with-Ldaps-SSL/ta-p/247365" target="_blank" rel="noopener">https://community.cloudera.com/t5/Community-Articles/Steps-to-setup-Atlas-with-Ldaps-SSL/ta-p/247365</A></P><P>That relates to Atlas, which we don't use, but seemed right.&nbsp; I downloaded "ldapsdev-ca.crt" from the ldaps server:</P><P>&nbsp;</P><LI-CODE lang="markup">echo -n | openssl s_client -connect ldapsdev.{obscureddomain}:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' &gt; ldapsdev-ca.crt</LI-CODE><P>&nbsp;</P><P>And then imported it into&nbsp;/usr/java/jdk1.7.0_67-cloudera/jre/lib/security/cacerts.&nbsp; When I do a keytool -list on that, I see it in there.&nbsp; I then restarted cloudera-scm-server, but I still get the same error.</P><P>Was that not the right cacerts file?&nbsp; There are others in various subdirs under /etc/pki I could try to add to, but it'd be nice to know for sure which file Cloudera Server is trying to use.&nbsp; Thanks!!!</P> Fri, 16 Sep 2022 14:43:55 GMT https://community.cloudera.com/t5/Support-Questions/New-LDAP-configuration-failing-with-quot/m-p/327140#M229982 MattHearnCSC 2022-09-16T14:43:55Z Re: New LDAP configuration failing with "SSLHandshakeException: Received fatal alert: handshake_failure" https://community.cloudera.com/t5/Support-Questions/New-LDAP-configuration-failing-with-quot/m-p/332289#M231130 <P>Hi Matt,</P><P>&nbsp;</P><P>assuming you want to enable external authentication to LDAP in Cloudera Manager. Please find steps in the product documentation&nbsp;<A href="https://docs.cloudera.com/documentation/enterprise/6/6.3/topics/cm_sg_external_auth.html#cmug_topic_13_9_2__section_ur1_wxn_mk" target="_blank" rel="noopener">here for 6.x</A>&nbsp;and&nbsp;<A href="https://docs.cloudera.com/cdp-private-cloud-base/7.1.6/security-kerberos-authentication/topics/cm-security-external-authentication-ldap.html#ariaid-title2" target="_blank" rel="noopener">here for 7.x</A>&nbsp;</P><P>The steps you listed seem about right and should work. I suggest to verify if CM makes use of this JDK in the <STRONG>CM -&gt; Support -&gt; About</STRONG> page, and if necessary follow the steps in documentation to explicitly set the&nbsp;<EM><STRONG>-Djavax.net.ssl.trustStore</STRONG></EM><SPAN class="cdoc-line">&nbsp;and&nbsp;</SPAN><EM><STRONG>-Djavax.net.ssl.trustStorePassword</STRONG></EM>&nbsp;<SPAN class="cdoc-line">startup properties.</SPAN></P> Wed, 15 Dec 2021 07:56:00 GMT https://community.cloudera.com/t5/Support-Questions/New-LDAP-configuration-failing-with-quot/m-p/332289#M231130 gzigldrum 2021-12-15T07:56:00Z