Reply
New Contributor
Posts: 1
Registered: ‎11-02-2018

Running OOZIE java client with SSL from a machine which is not part of hadoop cluster/edgenode

Hi, 

 

I am trying to trigger an oozie workflow from the java client which runs on a machine which is not part of hadoop cluster.

 

Ozzie installation on the cluster has SSL configured, and when I run my Oozie java client on the remote machine(Not part of cluster or edgenode) I get the below error

 

  IO_ERROR : javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I try the same code on edgenode(part of the hadoop cluster) the code runs successfully.

 

Can I get the details on how to run Oozie client from remote machine and how can I resolve certificate/authorization issue ?

 

Note: I have tried setting the certificate conf in the code and that does not work for me.

 

Hadoop Cluster has Cloudera

 

Cloudera Employee
Posts: 70
Registered: ‎04-03-2017

Re: Running OOZIE java client with SSL from a machine which is not part of hadoop cluster/edgenode

Hi,

 

The reason why you are facing this issue is because the JDK cacerts doesn't have the truststore certificates for your Oozie SSL.

 

So for your client from where you are running the oozie job, you need to merge the trustore certificates in JDK package.

 

Instructions:-

 

  1. Copy or download the root CA cert file (.cert or .pem) onto each client machine
    * NOTE: Repeat these steps for each client machine.
  2. Run the following command to import the certificate into the JRE's keystore. This allows any Java program, including the Oozie client, to connect to the Oozie Server using the certificate.
    sudo keytool -import -alias tomcat -file path/to/certificate.cert -keystore ${JRE_cacerts}
  • Where ${JRE_cacerts} is the path to the JRE's certs file.
  • The file location may differ depending on the Operating System (it is typically called cacerts and located at ${JAVA_HOME}/lib/security/cacerts but may be under a different directory in ${JAVA_HOME}
  • Important: Create a backup copy of the cacerts file.
  • The default password is changeit.

 

After merging this you can run the oozie jobs.

 

Regards

Nitish

Highlighted
Cloudera Employee
Posts: 70
Registered: ‎04-03-2017

Re: Running OOZIE java client with SSL from a machine which is not part of hadoop cluster/edgenode