https://community.cloudera.com/t5/Support-Questions/HBASE-Thrift-API-failed-at-TLS-hanshake/m-p/399009#M250371 <P>This issue occurred right after I enabled TLS on my CDP Private Cloud Base 7.1.7. The client call to&nbsp;HBASE Thrift API failed at TLS hanshake.</P><P>Below is the connection test output with the handshake failure.<BR />++<BR />$ openssl s_client -connect mycompany.com:9191<BR />CONNECTED(00000003)<BR />write:errno=0<BR />---<BR />no peer certificate available<BR />---<BR />No client certificate CA names sent<BR />---<BR />SSL handshake has read 0 bytes and written 287 bytes<BR />Verification: OK<BR />---<BR />New, (NONE), Cipher is (NONE)<BR />Secure Renegotiation IS NOT supported<BR />Compression: NONE<BR />Expansion: NONE<BR />No ALPN negotiated<BR />Early data was not sent<BR />Verify return code: 0 (ok)<BR />---<BR />++</P><P>My Thrift API port is 9191 (not the default 9090). This port worked well before TLS was enabled.</P><P>There should be no certificate/ca issue because the Thrift (on the same node) UI over TLS works just fine. Below is the connection test output showing a successful handshake.</P><P>++<BR />$ openssl s_client -connect mycompany.com:9095<BR />CONNECTED(00000003)<BR />depth=2 CN = MYROOTCA<BR />...<BR />---<BR />Certificate chain<BR />...<BR />---<BR />Server certificate<BR />-----BEGIN CERTIFICATE-----<BR />...<BR />++</P><P>All my HBASE instances have green lights inside Cloudera Manager. I do not know where to look. It looks like something internal in SDX went wrong.</P><P>Any suggestions? Thank you.</P><P>Best regards,</P> Wed, 18 Dec 2024 06:28:11 GMT Seaport 2024-12-18T06:28:11Z https://community.cloudera.com/t5/Support-Questions/HBASE-Thrift-API-failed-at-TLS-hanshake/m-p/399009#M250371 <P>This issue occurred right after I enabled TLS on my CDP Private Cloud Base 7.1.7. The client call to&nbsp;HBASE Thrift API failed at TLS hanshake.</P><P>Below is the connection test output with the handshake failure.<BR />++<BR />$ openssl s_client -connect mycompany.com:9191<BR />CONNECTED(00000003)<BR />write:errno=0<BR />---<BR />no peer certificate available<BR />---<BR />No client certificate CA names sent<BR />---<BR />SSL handshake has read 0 bytes and written 287 bytes<BR />Verification: OK<BR />---<BR />New, (NONE), Cipher is (NONE)<BR />Secure Renegotiation IS NOT supported<BR />Compression: NONE<BR />Expansion: NONE<BR />No ALPN negotiated<BR />Early data was not sent<BR />Verify return code: 0 (ok)<BR />---<BR />++</P><P>My Thrift API port is 9191 (not the default 9090). This port worked well before TLS was enabled.</P><P>There should be no certificate/ca issue because the Thrift (on the same node) UI over TLS works just fine. Below is the connection test output showing a successful handshake.</P><P>++<BR />$ openssl s_client -connect mycompany.com:9095<BR />CONNECTED(00000003)<BR />depth=2 CN = MYROOTCA<BR />...<BR />---<BR />Certificate chain<BR />...<BR />---<BR />Server certificate<BR />-----BEGIN CERTIFICATE-----<BR />...<BR />++</P><P>All my HBASE instances have green lights inside Cloudera Manager. I do not know where to look. It looks like something internal in SDX went wrong.</P><P>Any suggestions? Thank you.</P><P>Best regards,</P> Wed, 18 Dec 2024 06:28:11 GMT https://community.cloudera.com/t5/Support-Questions/HBASE-Thrift-API-failed-at-TLS-hanshake/m-p/399009#M250371 Seaport 2024-12-18T06:28:11Z https://community.cloudera.com/t5/Support-Questions/HBASE-Thrift-API-failed-at-TLS-hanshake/m-p/399037#M250378 <P>It appeared that the Thrift Server did not start completely, although it has a green light in Cloudera Manager. Inside the log&nbsp;hbase-cmf-hbase-HBASETHRIFTSERVER-mynode.log.out, there is no entry to acknowledge the start like</P><P>++<BR /><SPAN>org.eclipse.jetty.server.AbstractConnector: Started ServerConnector@180e6ac4{SSL, (ssl, http/1.1)}{0.0.0.0:9191}</SPAN><BR />++</P><P>But I have no idea why the starting ended up incomplete. Therer was no warning or error from either the log or the Cloudera Manager UI.</P><P>Thank you.</P><P>&nbsp;</P> Wed, 18 Dec 2024 22:09:15 GMT https://community.cloudera.com/t5/Support-Questions/HBASE-Thrift-API-failed-at-TLS-hanshake/m-p/399037#M250378 Seaport 2024-12-18T22:09:15Z https://community.cloudera.com/t5/Support-Questions/HBASE-Thrift-API-failed-at-TLS-hanshake/m-p/399170#M250425 <P>Additional connection tests show that port 9191 still works on unencrypted connections, although&nbsp;"TLS/SSL for HBase Thrift Server over HTTP" is enabled. Neither the log nor the Cloudera Manager UI gave any warnings or errors<SPAN>.</SPAN></P> Thu, 19 Dec 2024 19:22:27 GMT https://community.cloudera.com/t5/Support-Questions/HBASE-Thrift-API-failed-at-TLS-hanshake/m-p/399170#M250425 Seaport 2024-12-19T19:22:27Z https://community.cloudera.com/t5/Support-Questions/HBASE-Thrift-API-failed-at-TLS-hanshake/m-p/400284#M250794 <P><SPAN>The issue was resolved after I checked&nbsp;the "Enable HBase Thrift Http Server" property in HBase configuration.&nbsp;</SPAN><SPAN>It turned out that the TLS implementation for the thrift server on CDP HBase is done at http layer, not at the Transport layer.&nbsp;</SPAN></P> Mon, 13 Jan 2025 19:17:13 GMT https://community.cloudera.com/t5/Support-Questions/HBASE-Thrift-API-failed-at-TLS-hanshake/m-p/400284#M250794 Seaport 2025-01-13T19:17:13Z