https://community.cloudera.com/t5/Support-Questions/Use-Knox-proxy-Secure-Hadoop-cluster-has-some-question-doesn/m-p/376037#M242743 <P>Hi&nbsp;<a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/94989">@Meepoljd</a></P><P>It seems like the issue is with the certificate. Make sure the certificate is created with fqdn.</P><P>The curl command is working because, as you passing --insecure, it ignores invalid and self-signed certificate errors.</P> Wed, 06 Sep 2023 09:12:38 GMT Scharan 2023-09-06T09:12:38Z https://community.cloudera.com/t5/Support-Questions/Use-Knox-proxy-Secure-Hadoop-cluster-has-some-question-doesn/m-p/375013#M242247 <P>I have a secure hadoop cluster with HDP3.1，<SPAN class="tgt color_text_0">I recently tried to interconnect this cluster with the Knox component to implement a secure proxy. <SPAN>This cluster has kerberos, Ldap, and https enabled, I create one config like this:</SPAN></SPAN></P><P>&nbsp;</P><LI-CODE lang="markup">&lt;topology&gt; &lt;gateway&gt; &lt;provider&gt; &lt;role&gt;authentication&lt;/role&gt; &lt;name&gt;ShiroProvider&lt;/name&gt; &lt;enabled&gt;true&lt;/enabled&gt; &lt;param&gt; &lt;name&gt;main.ldapRealm&lt;/name&gt; &lt;value&gt;org.apache.knox.gateway.shirorealm.KnoxLdapRealm&lt;/value&gt; &lt;/param&gt; &lt;param&gt; &lt;name&gt;main.ldapContextFactory&lt;/name&gt; &lt;value&gt;org.apache.knox.gateway.shirorealm.KnoxLdapContextFactory&lt;/value&gt; &lt;/param&gt; &lt;param&gt; &lt;name&gt;main.ldapRealm.contextFactory&lt;/name&gt; &lt;value&gt;$ldapContextFactory&lt;/value&gt; &lt;/param&gt; &lt;param&gt; &lt;name&gt;main.ldapRealm.userDnTemplate&lt;/name&gt; &lt;value&gt;cn=admin,dc=datasw,dc=com&lt;/value&gt; &lt;/param&gt; &lt;param&gt; &lt;name&gt;main.ldapRealm.contextFactory.url&lt;/name&gt; &lt;value&gt;ldap://hdp001.datasw.com:389&lt;/value&gt; &lt;/param&gt; &lt;param&gt; &lt;name&gt;main.ldapRealm.contextFactory.authenticationMechanism&lt;/name&gt; &lt;value&gt;simple&lt;/value&gt; &lt;/param&gt; &lt;param&gt; &lt;name&gt;urls./**&lt;/name&gt; &lt;value&gt;authcBasic&lt;/value&gt; &lt;/param&gt; &lt;/provider&gt; &lt;provider&gt; &lt;role&gt;authentication&lt;/role&gt; &lt;name&gt;HadoopAuth&lt;/name&gt; &lt;enabled&gt;true&lt;/enabled&gt; &lt;param&gt; &lt;name&gt;config.prefix&lt;/name&gt; &lt;value&gt;hadoop.auth.config&lt;/value&gt; &lt;/param&gt; &lt;param&gt; &lt;name&gt;hadoop.auth.config.type&lt;/name&gt; &lt;value&gt;kerberos&lt;/value&gt; &lt;/param&gt; &lt;param&gt; &lt;name&gt;hadoop.auth.config.simple.anonymous.allowed&lt;/name&gt; &lt;value&gt;false&lt;/value&gt; &lt;/param&gt; &lt;param&gt; &lt;name&gt;hadoop.auth.config.token.validity&lt;/name&gt; &lt;value&gt;1800&lt;/value&gt; &lt;/param&gt; &lt;param&gt; &lt;name&gt;hadoop.auth.config.cookie.domain&lt;/name&gt; &lt;value&gt;datasw.com&lt;/value&gt; &lt;/param&gt; &lt;param&gt; &lt;name&gt;hadoop.auth.config.cookie.path&lt;/name&gt; &lt;value&gt;gateway/default&lt;/value&gt; &lt;/param&gt; &lt;param&gt; &lt;name&gt;hadoop.auth.config.kerberos.principal&lt;/name&gt; &lt;value&gt;HTTP/hdp003.datasw@DATASW.COM&lt;/value&gt; &lt;/param&gt; &lt;param&gt; &lt;name&gt;hadoop.auth.config.kerberos.keytab&lt;/name&gt; &lt;value&gt;/etc/security/keytabs/spnego.service.keytab&lt;/value&gt; &lt;/param&gt; &lt;param&gt; &lt;name&gt;hadoop.auth.config.kerberos.name.rules&lt;/name&gt; &lt;value&gt;DEFAULT&lt;/value&gt; &lt;/param&gt; &lt;param&gt; &lt;name&gt;fs.defaultFS&lt;/name&gt; &lt;value&gt;hdfs://hdfsCluster&lt;/value&gt; &lt;/param&gt; &lt;param&gt; &lt;name&gt;dfs.internal.nameservices&lt;/name&gt; &lt;value&gt;hdfsCluster&lt;/value&gt; &lt;/param&gt; &lt;param&gt; &lt;name&gt;dfs.ha.namenodes.hdfsCluster&lt;/name&gt; &lt;value&gt;nn1,nn2&lt;/value&gt; &lt;/param&gt; &lt;param&gt; &lt;name&gt;dfs.nameservices&lt;/name&gt; &lt;value&gt;hdfsCluster&lt;/value&gt; &lt;/param&gt; &lt;param&gt; &lt;name&gt;dfs.namenode.https-address&lt;/name&gt; &lt;value&gt;hdp001.datasw:50470&lt;/value&gt; &lt;/param&gt; &lt;param&gt; &lt;name&gt;dfs.namenode.https-address.hdfsCluster.nn1&lt;/name&gt; &lt;value&gt;hdp001.datasw:50470&lt;/value&gt; &lt;/param&gt; &lt;param&gt; &lt;name&gt;dfs.namenode.https-address.hdfsCluster.nn2&lt;/name&gt; &lt;value&gt;hdp002.datasw:50470&lt;/value&gt; &lt;/param&gt; &lt;/provider&gt; &lt;/gateway&gt; &lt;service&gt; &lt;role&gt;HDFSUI&lt;/role&gt; &lt;url&gt;https://hdp002.datasw.com:50470&lt;/url&gt; &lt;/service&gt; &lt;/topology&gt;</LI-CODE><P>&nbsp;</P><P>&nbsp;and I copy the hadoop cluster's&nbsp;truststore.jks file to the $GATEWAY_HOME/data/security/keystores/ and set&nbsp;</P><DIV><DIV><SPAN>gateway.httpclient.truststore.path param in gateway-stie.xml:</SPAN></DIV></DIV><P>&nbsp;</P><LI-CODE lang="markup"> &lt;property&gt; &lt;name&gt;gateway.httpclient.truststore.path&lt;/name&gt; &lt;value&gt;/usr/local/knox/data/security/keystores/truststore.jks&lt;/value&gt; &lt;/property&gt; &lt;property&gt; &lt;name&gt;gateway.httpclient.truststore.type&lt;/name&gt; &lt;value&gt;JKS&lt;/value&gt; &lt;/property&gt; &lt;property&gt; &lt;name&gt;gateway.httpclient.truststore.password.alias&lt;/name&gt; &lt;value&gt;pthdp&lt;/value&gt; &lt;/property&gt;</LI-CODE><P>&nbsp;</P><P>Then I restart the Knox gateway，but w<SPAN class="tgt color_text_0">hen I access the NameNode webUi, I receive the following error message:</SPAN></P><P>&nbsp;</P><LI-CODE lang="c">2023-08-08 11:14:38,050 58fc3dbf-4c6e-4684-860d-0a4e443f85d2 WARN knox.gateway (DefaultDispatch.java:executeOutboundRequest(183)) - Connection exception dispatching request: https://hdp002.datasw.com:50470/?user.name=admin javax.net.ssl.SSLPeerUnverifiedException: Certificate for &lt;hdp002.datasw.com&gt; doesn't match any of the subject alternative names: [] javax.net.ssl.SSLPeerUnverifiedException: Certificate for &lt;hdp002.datasw.com&gt; doesn't match any of the subject alternative names: [] at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:507) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:437) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56) ~[httpclient-4.5.13.jar:4.5.13] at org.apache.knox.gateway.dispatch.DefaultDispatch.executeOutboundRequest(DefaultDispatch.java:166) ~[gateway-spi-2.0.0.jar:2.0.0] at org.apache.knox.gateway.dispatch.DefaultDispatch.executeRequest(DefaultDispatch.java:152) ~[gateway-spi-2.0.0.jar:2.0.0] at org.apache.knox.gateway.dispatch.DefaultDispatch.executeRequestWrapper(DefaultDispatch.java:135) ~[gateway-spi-2.0.0.jar:2.0.0] at org.apache.knox.gateway.dispatch.DefaultDispatch.doGet(DefaultDispatch.java:300) ~[gateway-spi-2.0.0.jar:2.0.0] at org.apache.knox.gateway.dispatch.GatewayDispatchFilter$GetAdapter.doMethod(GatewayDispatchFilter.java:183) ~[gateway-spi-2.0.0.jar:2.0.0] at org.apache.knox.gateway.dispatch.GatewayDispatchFilter.doFilter(GatewayDispatchFilter.java:127) ~[gateway-spi-2.0.0.jar:2.0.0] at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:58) ~[gateway-spi-2.0.0.jar:2.0.0] at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:377) ~[gateway-server-2.0.0.jar:2.0.0] at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:291) ~[gateway-server-2.0.0.jar:2.0.0] at org.apache.knox.gateway.identityasserter.common.filter.AbstractIdentityAssertionFilter.doFilterInternal(AbstractIdentityAssertionFilter.java:193) ~[gateway-provider-identity-assertion-common-2.0.0.jar:2.0.0] at org.apache.knox.gateway.identityasserter.common.filter.AbstractIdentityAssertionFilter.access$000(AbstractIdentityAssertionFilter.java:55) ~[gateway-provider-identity-assertion-common-2.0.0.jar:2.0.0] at org.apache.knox.gateway.identityasserter.common.filter.AbstractIdentityAssertionFilter$1.run(AbstractIdentityAssertionFilter.java:161) ~[gateway-provider-identity-assertion-common-2.0.0.jar:2.0.0] at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_291] at javax.security.auth.Subject.doAs(Subject.java:422) ~[?:1.8.0_291] at org.apache.knox.gateway.identityasserter.common.filter.AbstractIdentityAssertionFilter.doAs(AbstractIdentityAssertionFilter.java:156) ~[gateway-provider-identity-assertion-common-2.0.0.jar:2.0.0] at org.apache.knox.gateway.identityasserter.common.filter.AbstractIdentityAssertionFilter.continueChainAsPrincipal(AbstractIdentityAssertionFilter.java:146) ~[gateway-provider-identity-assertion-common-2.0.0.jar:2.0.0] at org.apache.knox.gateway.identityasserter.common.filter.CommonIdentityAssertionFilter.doFilter(CommonIdentityAssertionFilter.java:241) ~[gateway-provider-identity-assertion-common-2.0.0.jar:2.0.0] at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:377) ~[gateway-server-2.0.0.jar:2.0.0] at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:291) ~[gateway-server-2.0.0.jar:2.0.0] at org.apache.knox.gateway.filter.rewrite.api.UrlRewriteServletFilter.doFilter(UrlRewriteServletFilter.java:57) ~[gateway-provider-rewrite-2.0.0.jar:2.0.0] at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:58) ~[gateway-spi-2.0.0.jar:2.0.0] at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:377) ~[gateway-server-2.0.0.jar:2.0.0] at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:291) ~[gateway-server-2.0.0.jar:2.0.0] at org.apache.knox.gateway.filter.ShiroSubjectIdentityAdapter$CallableChain$1.run(ShiroSubjectIdentityAdapter.java:93) ~[gateway-provider-security-shiro-2.0.0.jar:2.0.0] at org.apache.knox.gateway.filter.ShiroSubjectIdentityAdapter$CallableChain$1.run(ShiroSubjectIdentityAdapter.java:90) ~[gateway-provider-security-shiro-2.0.0.jar:2.0.0] at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_291] at javax.security.auth.Subject.doAs(Subject.java:422) ~[?:1.8.0_291] at org.apache.knox.gateway.filter.ShiroSubjectIdentityAdapter$CallableChain.call(ShiroSubjectIdentityAdapter.java:146) ~[gateway-provider-security-shiro-2.0.0.jar:2.0.0] at org.apache.knox.gateway.filter.ShiroSubjectIdentityAdapter$CallableChain.call(ShiroSubjectIdentityAdapter.java:76) ~[gateway-provider-security-shiro-2.0.0.jar:2.0.0] at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90) ~[shiro-core-1.10.0.jar:1.10.0] at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83) ~[shiro-core-1.10.0.jar:1.10.0] at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:387) ~[shiro-core-1.10.0.jar:1.10.0] at org.apache.knox.gateway.filter.ShiroSubjectIdentityAdapter.doFilter(ShiroSubjectIdentityAdapter.java:73) ~[gateway-provider-security-shiro-2.0.0.jar:2.0.0] at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:377) ~[gateway-server-2.0.0.jar:2.0.0] at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:291) ~[gateway-server-2.0.0.jar:2.0.0] at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61) ~[shiro-web-1.10.0.jar:1.10.0] at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108) ~[shiro-web-1.10.0.jar:1.10.0] at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137) ~[shiro-web-1.10.0.jar:1.10.0] at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:154) ~[shiro-web-1.10.0.jar:1.10.0] at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66) ~[shiro-web-1.10.0.jar:1.10.0] at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108) ~[shiro-web-1.10.0.jar:1.10.0] at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137) ~[shiro-web-1.10.0.jar:1.10.0] at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:154) ~[shiro-web-1.10.0.jar:1.10.0] at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66) ~[shiro-web-1.10.0.jar:1.10.0] at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:458) ~[shiro-web-1.10.0.jar:1.10.0] at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:373) ~[shiro-web-1.10.0.jar:1.10.0]</LI-CODE><P>&nbsp;</P><P class="tgt color_text_0 un-step-trans"><SPAN class="tgt color_text_0">In order to achieve Knox proxy,&nbsp;<SPAN>What else do I need to do?</SPAN></SPAN></P><P>&nbsp;</P> Tue, 08 Aug 2023 03:18:10 GMT https://community.cloudera.com/t5/Support-Questions/Use-Knox-proxy-Secure-Hadoop-cluster-has-some-question-doesn/m-p/375013#M242247 Meepoljd 2023-08-08T03:18:10Z https://community.cloudera.com/t5/Support-Questions/Use-Knox-proxy-Secure-Hadoop-cluster-has-some-question-doesn/m-p/375129#M242300 <P>Hello&nbsp;<a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/94989">@Meepoljd</a>&nbsp;</P><P>Are you able to access the Namnode UI without a Knox proxy?</P><P>Can you check the output of the below command to verify the hostname in the certificate?</P><P>&nbsp;</P><P># openssl s_client -connect hdp002.datasw.com:50470 -showcerts</P> Fri, 11 Aug 2023 05:35:01 GMT https://community.cloudera.com/t5/Support-Questions/Use-Knox-proxy-Secure-Hadoop-cluster-has-some-question-doesn/m-p/375129#M242300 Scharan 2023-08-11T05:35:01Z https://community.cloudera.com/t5/Support-Questions/Use-Knox-proxy-Secure-Hadoop-cluster-has-some-question-doesn/m-p/375132#M242301 <P>Hi, Scharan, thisi is the command's return:</P><LI-CODE lang="c">[root@hdp002 ~]# openssl s_client -connect hdp002.datasw.com:50470 -showcerts CONNECTED(00000003) depth=1 C = CN, ST = ShenZhen, L = GuangDong, O = DATASW, OU = PlatformTeam, CN = datsw verify error:num=19:self signed certificate in certificate chain --- Certificate chain 0 s:/C=CN/ST=GuangDong/L=ShenZhen/O=DATASW/OU=PlatformTeam/CN=hdp002.datasw i:/C=CN/ST=ShenZhen/L=GuangDong/O=DATASW/OU=PlatformTeam/CN=datsw -----BEGIN CERTIFICATE----- MIIDXDCCAkQCCQDNmxfKgcxaOjANBgkqhkiG9w0BAQsFADBsMQswCQYDVQQGEwJD TjERMA8GA1UECAwIU2hlblpoZW4xEjAQBgNVBAcMCUd1YW5nRG9uZzEPMA0GA1UE CgwGREFUQVNXMRUwEwYDVQQLDAxQbGF0Zm9ybVRlYW0xDjAMBgNVBAMMBWRhdHN3 MB4XDTIxMDkxNDE3MjcwM1oXDTMxMDkxMjE3MjcwM1owdDELMAkGA1UEBhMCQ04x EjAQBgNVBAgTCUd1YW5nRG9uZzERMA8GA1UEBxMIU2hlblpoZW4xDzANBgNVBAoT BkRBVEFTVzEVMBMGA1UECxMMUGxhdGZvcm1UZWFtMRYwFAYDVQQDEw1oZHAwMDIu ZGF0YXN3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAgUquEQOPlyZs vqfNZCB6qXh+wDoQlOMTPWfoHAtk5c041LwDrtkjF3I+uXntqcV/aB0ufSLA3M/j 2iiPt+8sosjp0cOakWXpOGx3Vv7MXteF/c8HMav+9yheY8qcoHfrRwPqpq9v0Ysz 31v1l6zJiuubF9JJpYMMmBkfwd0RUyLD079VkKAHtq6zAlpBm+zKVc6B0Xiddvw6 La2PB/c+vqVGVKsI+0RqiMdM1IXCuV76CT47riQ8G0PPs1OSu4HVI+J1j6P3R6He rpIG1GstmcGjbR10qo/MDg1svwxiGOJxw1sN+65LQPLB3cTw4JmUMIJq8F1REiAZ azP8I1oTsQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA4B1NwbQ0jBBccOfX0zCoQ mHiIQvpMiiUYJRTAfUqueIFMwRF5aw85u2PAMnkgxqUmRG87RTgOg5dx3hPswS83 FQOeG2kUPXIR9HRaJZirRZ0vZByzsHl77N4Bb0y0Z0m1svbSczxH/RCEY5L7NvMR fUSZjYW8LFk8nl3tH60u4f7cDJ+bTiDA37B7tUqvwrRHsvSJY9Ndp52QRUHxST3o iutBSEOWfhBvPkv7U/B3WAnT9Dp0aSur2jIr5BP99qs13cy4qK0h5OAB+lgCEBt5 L4JKqWOv3W33j4vtNeYOSzfHgoi2JgKDP+imoVgnGeK1GNJsHMxecw4ef0Eik9sW -----END CERTIFICATE----- 1 s:/C=CN/ST=ShenZhen/L=GuangDong/O=DATASW/OU=PlatformTeam/CN=datsw i:/C=CN/ST=ShenZhen/L=GuangDong/O=DATASW/OU=PlatformTeam/CN=datsw -----BEGIN CERTIFICATE----- MIIDqzCCApOgAwIBAgIJAMmdxf5CbH3BMA0GCSqGSIb3DQEBCwUAMGwxCzAJBgNV BAYTAkNOMREwDwYDVQQIDAhTaGVuWmhlbjESMBAGA1UEBwwJR3VhbmdEb25nMQ8w DQYDVQQKDAZEQVRBU1cxFTATBgNVBAsMDFBsYXRmb3JtVGVhbTEOMAwGA1UEAwwF ZGF0c3cwHhcNMjEwOTE0MDE1MTQwWhcNMzEwOTEyMDE1MTQwWjBsMQswCQYDVQQG EwJDTjERMA8GA1UECAwIU2hlblpoZW4xEjAQBgNVBAcMCUd1YW5nRG9uZzEPMA0G A1UECgwGREFUQVNXMRUwEwYDVQQLDAxQbGF0Zm9ybVRlYW0xDjAMBgNVBAMMBWRh dHN3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuDsAyDscHIGXRmTz EKzWjenR8c2f6hpLEyRTqvlI9AzTd5gZRMMWg7ax4erC7BPwva+RHZoeug9kE2HC UHoGCP4YIZdEux5phPqv1vP/CBvbXnYZ4olMRSJDuf57TpAZjMTy5FHgs7QDzpCk 9Ez7CQWeXaaAaqnGo8SUWLATLadudSgkPDLSJL/h2IGjhxKPMyaHODxXQRxUIRbr tI+8+9+siRLi+3EIhMXLT1oEOnsB/BQmawbNjyLtuZZoH8pyGJ3ByoM06zLWWMGI eujFCOlSRMMzpEr/xLhJQQDFBLEFJKYOD0Z5QbqgrFkQtLOFpEnDbTXasQvlk4on nLVemQIDAQABo1AwTjAdBgNVHQ4EFgQUUkBUUrsXSVF7MQDnB0hKjtpiOt0wHwYD VR0jBBgwFoAUUkBUUrsXSVF7MQDnB0hKjtpiOt0wDAYDVR0TBAUwAwEB/zANBgkq hkiG9w0BAQsFAAOCAQEAdU7iAr/F5lCLvPMfo9LA7JhI7IQdic/EhxELLuUELF7c UBOOlJbWFxLYaZ6SwZ9lGa4d+wjNWoX+QvLt02PGZV3h0aB6O8E0827jjgI61r0C UNSD3N3KadbK52st5W34sIssXqBNIga1w9knfWouiqNcHBixyZdYfWOwGLPSAbpC K4os4yi5QU4YSvNwLO9GAYgem0p0Uel9By3m0cFmyFr+GcA+VAWltk7xBKOsCxam nnQJE+djbMekmXW6cmujbqh02Q6LF0/6wNDMRnRFkDvF5WnT1XxQ7O+HFkeQXPED qCkcKcHLqMxhK72iVlLgCq6n+oYLDxeODfHEjvo3sg== -----END CERTIFICATE----- --- Server certificate subject=/C=CN/ST=GuangDong/L=ShenZhen/O=DATASW/OU=PlatformTeam/CN=hdp002.datasw issuer=/C=CN/ST=ShenZhen/L=GuangDong/O=DATASW/OU=PlatformTeam/CN=datsw --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 2350 bytes and written 483 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-SHA384 Session-ID: 64D5CE575ACD383C1B9BED92D5F2FDC1C63308098FD241173411E62C2E5E0395 Session-ID-ctx: Master-Key: D73511C7D981C1A2F7813E02F102BD23057A5A79C5E9E75C3BCE870AA40D7CE4F02E41115F28510CE7AF85C6F6675BE6 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1691733590 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) ---</LI-CODE><P><SPAN>KIT is not installed on my Windows machine, so I use curl on the Linux server to access the http request of the namenode:</SPAN></P><LI-CODE lang="c">curl -i --insecure --negotiate -u: "https://hdp002.datasw.com:50470/jmx?qry=Hadoop:service=NameNode,name=RpcActivityForPort8020" </LI-CODE><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Meepoljd_0-1691733912433.png" style="width: 400px;"><img src="https://community.cloudera.com/t5/image/serverpage/image-id/38222i571747214CDB743F/image-size/medium?v=v2&amp;px=400" role="button" title="Meepoljd_0-1691733912433.png" alt="Meepoljd_0-1691733912433.png" /></span></P><P>&nbsp;</P> Fri, 11 Aug 2023 06:05:24 GMT https://community.cloudera.com/t5/Support-Questions/Use-Knox-proxy-Secure-Hadoop-cluster-has-some-question-doesn/m-p/375132#M242301 Meepoljd 2023-08-11T06:05:24Z https://community.cloudera.com/t5/Support-Questions/Use-Knox-proxy-Secure-Hadoop-cluster-has-some-question-doesn/m-p/376037#M242743 <P>Hi&nbsp;<a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/94989">@Meepoljd</a></P><P>It seems like the issue is with the certificate. Make sure the certificate is created with fqdn.</P><P>The curl command is working because, as you passing --insecure, it ignores invalid and self-signed certificate errors.</P> Wed, 06 Sep 2023 09:12:38 GMT https://community.cloudera.com/t5/Support-Questions/Use-Knox-proxy-Secure-Hadoop-cluster-has-some-question-doesn/m-p/376037#M242743 Scharan 2023-09-06T09:12:38Z