question After enabling HTTPS to CM, monitors stopped working in Archives of Support Questions (Read Only)

After enabling HTTPS to CM, monitors stopped working

IgorYakushin — Thu, 23 Feb 2017 05:24:51 GMT

After configuring TLS with self-signed certificates up to "Step 2: Enable HTTPS for the Cloudera Manager Admin Console and Specify Server Keystore Properties", various CM monitoring services stopped working: Activity Monitor, Even Server, Host Monitor, Reports Manager, Service Monitor. Is it normal?

The log /var/log/cloudera-scm-eventserver/mgmt-cmf-mgmt-EVENTSERVER-md01.rcc.local.log.out says:

======

Failed to publish event: SimpleEvent{attributes={ROLE_TYPE=[EVENTSERVER], EXCEPTION_TYPES=[javax.net.ssl.SSLHandshakeException, sun.security.validator.ValidatorException, sun.security.provider.certpath.SunCertPathBuilderException], HOST_IDS=[21488217-80d2-404d-8ae9-061472dc8314], STACKTRACE=[javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
======

I guess, it means that each host needs to know where to find its keystore (during the first 2 steps the path was only given for CM host)? Would this be solved in the next Level 1 steps when agents are configured or do I need to fix it somehow now before proceeding to the next steps? For example, provide a path to a truststore (which would be the same for all the hosts? during the configuration I only provided a path to the keystore on CM machine and its password).

The web login to CM indeed became https. I have not tested the rest of the services but CM shows green status for all of them.

Re: After enabling HTTPS to CM, monitors stopped working

bgooley — Thu, 23 Feb 2017 21:00:56 GMT

Hello @IgorYakushin,

After enabling TLS for the Cloudera Manager UI, the management services will need to know where to find trust for the signer of Cloudera Manager's Certificate. The management service roles contact Cloudera Manager to download information regarding the cluster, so if that information cannot be downloaded, the management service roles will fail.

To configure the truststore used by the Management Service roles, see this documentaiton:

https://www.cloudera.com/documentation/enterprise/latest/topics/how_to_configure_cm_tls.html#xd_583c10bfdbd326ba-7dae4aa6-147c30d0933--7a61

(you need to perform steps 2 and 3 in the Enable HTTPS for the Cloudera Manager Admin Console section)

Regards,

Ben

Re: After enabling HTTPS to CM, monitors stopped working

IgorYakushin — Thu, 23 Feb 2017 21:32:00 GMT

Thank you Ben. That worked.

Apparently I was reading older version of the documention where Step 3 (letting CM know where truststore is) is not mentioned. I tried to put it on the same web page where keystore was and that did not work. I did not realize there is yet another page to specify truststore.

Igor