question Re: how to rollback cloudera manager tls configuration without UI in Archives of Support Questions (Read Only)

how to rollback cloudera manager tls configuration without UI

kliu — Mon, 18 Nov 2019 14:10:12 GMT

Need help urgently.

Hi, Today I configured Cloudera Manager 5.4.1 to use HTTPS by following

http://www.cloudera.com/documentation/enterprise/5-4-x/topics/cm_sg_tls_browser.html#concept_hrs_f5d

I used self-signed certificate described in http://www.cloudera.com/documentation/enterprise/5-4-x/topics/sg_self_signed_tls.html#xd_583c10bfdbd

However, after restarting cloudera-scm-server, I could not open the cloudera manager in browser.

“Openssl s_client –connect “’ indicated the ssl connection was fine, but the browser always timed out. I’ve tried different browsers and cleaned the cache etc. Still the same. At this point, I would rather to roll it back.

Is there a way to rollback the changes to use Http again? Since I cannot access the cloudera manger UI, I can only do it thru command line. Does anyone know where the configuration is stored and how to change it?

Please Help! Thanks!

Re: how to rollback cloudera manager tls configuration without UI

bgooley — Wed, 19 Oct 2016 23:43:06 GMT

I would recommend reviewing the Cloudera Manager log for clues, but, for now, access your Cloudera Manager database and run the following:

delete from CONFIGS where ATTR='web_tls';

This will disable TLS for the CM UI

Afterward, try starting again.

If that doesn't help, let us know.

Re: how to rollback cloudera manager tls configuration without UI

kliu — Thu, 20 Oct 2016 00:13:22 GMT

Thanks, that worked perfectly! Appreciated your quick help.

Re: how to rollback cloudera manager tls configuration without UI

SriniBI — Fri, 30 Dec 2016 23:33:32 GMT

How to find the cloudera manager DB credentials? I do have the same issue. Not able to login to web UI after TLS configuration

Re: how to rollback cloudera manager tls configuration without UI

MrBee — Tue, 31 Jan 2017 14:18:24 GMT

I had a similar problem. I had enabled the agent_tls, but the keystore field was not filled or the file was on a different location. Now the server did not start anymore. I needed to rollback the setting, thx for your post.

I used mysql tool on the command-line to connect as root to MySQL db, and executed an update:

use scm;
update CONFIGS set VALUE='false' where ATTR='agent_tls';
Query OK, 1 row affected (0.05 sec)

After a restart of cloudera-scm-server, the server was working again and I could enter the UI.

Re: how to rollback cloudera manager tls configuration without UI

kchaitanya — Mon, 10 Apr 2017 11:47:46 GMT

Urgent

@bgooleyThis not helped me. Its giving below

scm=# delete from CONFIGS where ATTR='web_tls';
DELETE 0

Can you give any other fix

Re: how to rollback cloudera manager tls configuration without UI

bgooley — Mon, 10 Apr 2017 15:04:24 GMT

@kchaitanya,

If that did not help, then it is likely there is another problem.

Please start a new thread and outline what you are trying to do and what is happening.

Also, make sure to review your /var/log/cloudera-scm-server/cloudera-scm-server.log for clues about what problem is occurring.

-Ben

Re: how to rollback cloudera manager tls configuration without UI

kchaitanya — Tue, 11 Apr 2017 02:42:08 GMT

Thank you for the reply @bgooley, i fixed it by running below command

delete from CONFIGS where ATTR='agent_tls';

Thank you

Re: how to rollback cloudera manager tls configuration without UI

bgooley — Tue, 11 Apr 2017 20:40:20 GMT

@kchaitanya,

Indeed, if agent_tls is enabled even without web_tls and there is a problem with the certificate or trust store, then you would need to turn off agent_tls.

A big thanks for sharing that solution!

Re: how to rollback cloudera manager tls configuration without UI

ram76 — Fri, 15 Nov 2019 07:46:58 GMT

DB credential can be found here /etc/cloudera-scm-server/db.properties.

Re: how to rollback cloudera manager tls configuration without UI

mksl — Sat, 18 Jul 2020 02:39:16 GMT

Urgent and this for CDP 7.1

I ran below commands against scm database:

delete from CONFIGS where ATTR='web_tls';
delete from CONFIGS where ATTR='agent_tls';

But still seeing below in the Cloudera Manager logs:

2020-07-17 22:30:44,886 INFO MainThread:com.cloudera.server.cmf.Main: Successfully completed Auto Upgrade
2020-07-17 22:30:44,978 INFO MainThread:com.cloudera.server.cmf.Main: Agent RPC connections will use port: 7182
2020-07-17 22:30:44,978 INFO MainThread:com.cloudera.server.cmf.Main: Agent TLS certificates will be validated.
2020-07-17 22:30:44,985 INFO MainThread:com.cloudera.server.common.HttpConnectorServer: Max heartbeat processing thread: 6 and Max threads for CM agent avro http connector: 120
2020-07-17 22:30:45,029 INFO MainThread:com.cloudera.server.common.HttpConnectorServer: HttpConnectorServer port=7182
2020-07-17 22:30:45,029 INFO MainThread:com.cloudera.server.common.HttpConnectorServer: HttpConnectorServer IdleTime=300000
2020-07-17 22:30:45,058 INFO MainThread:org.eclipse.jetty.server.Server: jetty-9.4.14.v20181114; built: 2018-11-14T21:20:31.478Z; git: c4550056e785fb5665914545889f21dc136ad9e6; jvm 1.8.0_181-b13
2020-07-17 22:30:45,081 WARN MainThread:org.eclipse.jetty.security.SecurityHandler: ServletContext@o.e.j.s.ServletContextHandler@62408bf4{/,null,STARTING} has uncovered http methods for path: /*
2020-07-17 22:30:45,089 INFO MainThread:org.eclipse.jetty.server.handler.ContextHandler: Started o.e.j.s.ServletContextHandler@62408bf4{/,null,AVAILABLE}
2020-07-17 22:30:45,093 ERROR MainThread:com.cloudera.server.cmf.Main: Failed to start Agent listener.
2020-07-17 22:30:45,093 ERROR MainThread:com.cloudera.server.cmf.Main: Server failed.
org.apache.avro.AvroRuntimeException: java.io.IOException: Keystore was tampered with, or password was incorrect
at com.cloudera.server.common.HttpConnectorServer.start(HttpConnectorServer.java:224)
at com.cloudera.server.cmf.Main.startAgentServer(Main.java:590)
at com.cloudera.server.cmf.Main.run(Main.java:646)
at com.cloudera.server.cmf.Main.main(Main.java:247)
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
at java.security.KeyStore.load(KeyStore.java:1445)
at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:54)
at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1137)
at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:313)
at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:248)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:138)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:94)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:138)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:282)
at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:236)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.server.Server.doStart(Server.java:394)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at com.cloudera.server.common.HttpConnectorServer.start(HttpConnectorServer.java:222)
... 3 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)
... 25 more
2020-07-17 22:30:54,291 INFO ScmActive-0:com.cloudera.server.cmf.components.ScmActive: ScmActive completed successfully.
2020-07-17 22:31:09,276 INFO pool-201-thread-1:com.cloudera.server.cmf.components.CmServerStateSynchronizer: Cleanup is started.

Still not able to access the Cloudera Manager UI, please assist.

Re: how to rollback cloudera manager tls configuration without UI

K_P — Thu, 26 Nov 2020 00:22:29 GMT

Today I ran into this same issue but the solutions in the post didn't resolve the problem. I found each time you would start cloudera-scm-server (sudo systemctl start cloudera-scm-server) it would just add the entries back to the database we are instructed to delete.

The following did resolve the problem -

Edit /var/lib/cloudera-scm-server/certmanager/cm_init.txt

Change the following top 3 lines from true to false as follows.

setsettings AGENT_TLS false

setsettings WEB_TLS false

setsettings NEED_AGENT_VALIDATION false

Then stop and start the cloudera-scm-server.

This time you will see the entries back in the DB but they'll be set to false.

On the database server you can run the following to confirm they are set to false now.

select * from CONFIGS where ATTR='web_tls';

select * from CONFIGS where ATTR='agent_tls';