oozie cli doesn't work after enabling tls option

andrzej_jedrzej — Fri, 16 Sep 2022 10:39:32 GMT

Hi Guys,

I have a problem with oozie on my cloudera cluster. I enabled TLS encryption for admin console and Agents. I specified Keystore and Truststore File location and passwords in configuration tab for oozie.

When i try to curl oozie:

oozie admin -oozie https://ukgs2hdm02.cwglobal.local:11443/oozie -status

Error: IO_ERROR : java.io.IOException: Error while connecting Oozie server. 
No of retries = 1. Exception = sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I was thinking about importing host certificate to a default java keystore but find this:

/opt/jdk1.7.0_79/jre/lib/security/cacerts
/opt/cloudera/parcels/CDH-5.5.4-1.cdh5.5.4.p0.9/lib/hue/build/env/lib/python2.6/site-packages/boto-2.38.0-py2.6.egg/boto/cacerts
/usr/lib/jvm/java-1.5.0-gcj-1.5.0.0/jre/lib/security/cacerts
/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.101.x86_64/jre/lib/security/cacerts
/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.39.x86_64/jre/lib/security/cacerts
/usr/java/jdk1.7.0_67-cloudera/jre/lib/security/cacerts
/usr/java/jdk1.6.0_31/jre/lib/security/cacerts
/etc/pki/ca-trust/extracted/java/cacerts
/etc/pki/java/cacerts

and I don't know which one should I use?

Here are my files related to cert:

-rw-r-----. 1 root         tls  1996 May 31 13:08 cdh_host.key
-rw-r-----. 1 root         tls  2159 May 31 13:08 cdh_host.keystore
-r--r-----. 1 oozie        tls  2159 Sep 13 09:45 cdh_host.oozie.keystore
-rw-r-----. 1 root         tls  1123 May 31 13:08 cdh_host.pem
-r-xr--r--. 1 cloudera-scm tls  8754 Sep  7 13:39 truststore.jks
-rw-r-----. 1 root         tls 11961 Sep  7 13:39 truststore.pem
-rw-r-----. 1 root         tls   789 May 31 13:08 ukgs2hdm02.cwglobal.local.cer

oozie keystore is the same as the host keystore.

I have added certificate to all default java truststores and still the same problem.

Oozie web console works just fine.

Any ideas?

Re: oozie cli doesn't work after enabling tls option

andrzej_jedrzej — Thu, 15 Sep 2016 16:11:51 GMT

Solved. I missed one of the java default truststore files..........

Re: oozie cli doesn't work after enabling tls option

nur.majid — Fri, 27 Oct 2017 07:58:00 GMT

Hi @andrzej_jedrzej, can you explain how can you solve this problem?

thank you.

Re: oozie cli doesn't work after enabling tls option

NITHINJ — Thu, 09 Nov 2017 19:50:09 GMT

can you explain how did you resolve this issue.

Re: oozie cli doesn't work after enabling tls option

andrzej_jedrzej — Wed, 06 Dec 2017 10:50:45 GMT

You have to update the default java truststore with your certs, e.g. root CA.
Are you using self-signed certs?

Re: oozie cli doesn't work after enabling tls option

sparamas — Tue, 17 Jul 2018 17:42:04 GMT

Hi, am using self signed certificates and tried to enable TLS parameters to all the services, so except Oozie. Oozie is showing some health issues, Oozie webserver cannot be communicated.

question Re: oozie cli doesn't work after enabling tls option in Archives of Support Questions (Read Only)

oozie cli doesn't work after enabling tls option

Re: oozie cli doesn't work after enabling tls option

Re: oozie cli doesn't work after enabling tls option

Re: oozie cli doesn't work after enabling tls option

Re: oozie cli doesn't work after enabling tls option

Re: oozie cli doesn't work after enabling tls option