https://community.cloudera.com/t5/Archives-of-Support-Questions/HDFS-rest-encryption-zone-unable-to-find-valid-certification/m-p/39157#M23993 <P>&nbsp;</P><P>&nbsp;</P><P>Cluster having the rest encryption enabled, I am able to create keys using "#hdfs key create mykey1" but not able to create encryption&nbsp;zone on hdfs&nbsp;directories.</P><P>Please find below steps for reference&nbsp;</P><P>&nbsp;</P><P>-bash-4.1$ hadoop key list<BR />Listing keys for KeyProvider: KMSClientProvider[<A href="https://fqdn:16000/kms/v1/" target="_blank">https://fqdn:16000/kms/v1/</A>]<BR />mykey2<BR />mykey1&nbsp;</P><P>&nbsp;</P><P>I got below error when I am going to assign encryption zone to hdfs empty dir.</P><P>&nbsp;</P><P>-sh-4.1$ hdfs crypto -createZone -keyName&nbsp; mykey1 -path /user/xxxx/zone1</P><P>RemoteException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target</P> Fri, 16 Sep 2022 10:11:38 GMT Vikas1 2022-09-16T10:11:38Z https://community.cloudera.com/t5/Archives-of-Support-Questions/HDFS-rest-encryption-zone-unable-to-find-valid-certification/m-p/39157#M23993 <P>&nbsp;</P><P>&nbsp;</P><P>Cluster having the rest encryption enabled, I am able to create keys using "#hdfs key create mykey1" but not able to create encryption&nbsp;zone on hdfs&nbsp;directories.</P><P>Please find below steps for reference&nbsp;</P><P>&nbsp;</P><P>-bash-4.1$ hadoop key list<BR />Listing keys for KeyProvider: KMSClientProvider[<A href="https://fqdn:16000/kms/v1/" target="_blank">https://fqdn:16000/kms/v1/</A>]<BR />mykey2<BR />mykey1&nbsp;</P><P>&nbsp;</P><P>I got below error when I am going to assign encryption zone to hdfs empty dir.</P><P>&nbsp;</P><P>-sh-4.1$ hdfs crypto -createZone -keyName&nbsp; mykey1 -path /user/xxxx/zone1</P><P>RemoteException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target</P> Fri, 16 Sep 2022 10:11:38 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/HDFS-rest-encryption-zone-unable-to-find-valid-certification/m-p/39157#M23993 Vikas1 2022-09-16T10:11:38Z https://community.cloudera.com/t5/Archives-of-Support-Questions/HDFS-rest-encryption-zone-unable-to-find-valid-certification/m-p/39316#M23994 <P>Resolved: Enabled Kerberos Authentication for HTTP Web-Consoles (HDFS) and regenerated missing kerberos credentials</P><P>After changes done, I got below output.</P><P>-bash-4.1$ hdfs crypto -createZone -keyName mykey1 -path /user/xxxx/zone1</P><P>Added encryption zone /user/vgadade/zone1</P><P>-bash-4.1$</P> Mon, 04 Apr 2016 12:54:40 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/HDFS-rest-encryption-zone-unable-to-find-valid-certification/m-p/39316#M23994 Vikas1 2016-04-04T12:54:40Z https://community.cloudera.com/t5/Archives-of-Support-Questions/HDFS-rest-encryption-zone-unable-to-find-valid-certification/m-p/77204#M23995 <P>Thanks for the solution. But do you know the true reason for enable&nbsp;<SPAN>HTTP Web-Consoles (HDFS)?&nbsp;</SPAN></P> Fri, 20 Jul 2018 07:48:32 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/HDFS-rest-encryption-zone-unable-to-find-valid-certification/m-p/77204#M23995 manuh 2018-07-20T07:48:32Z https://community.cloudera.com/t5/Archives-of-Support-Questions/HDFS-rest-encryption-zone-unable-to-find-valid-certification/m-p/77249#M23996 <P><a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/25247">@manuh</a>,</P><P>&nbsp;</P><P>I recommend you start a new thread since the answer to this one doesn't really make sense.</P><P>enabling kerberos for web consoles will not help resolve a PKIX error (which occurs when a client cannot find trust for the signer of the server certificate of the server to which the client is connecting).</P><P>&nbsp;</P><P>Enabling kerberos for web-consoles will not solve TLS problems.&nbsp; Something else that was done must have resolved the issue.</P><P>&nbsp;</P><P>Enabling Kerberos Authentication for Web Consoles will require that any clients connecting to them use SPNEGO to authenticate.&nbsp; This requires browser configuration and sometimes OS-level and krb5.conf configuration changes.</P><P>It is best to plan this move carefully and make sure you know how to configure clients to use SPNEGO if you are going to enable kerberos for web consoles.</P><P>&nbsp;</P><P>If you are having any problems similar to what was described in this thread, please give us some background of what you are trying to do and what isn't working.</P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P><P>Ben</P> Fri, 20 Jul 2018 23:08:16 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/HDFS-rest-encryption-zone-unable-to-find-valid-certification/m-p/77249#M23996 bgooley 2018-07-20T23:08:16Z