Reply
Contributor
Posts: 40
Registered: ‎06-12-2017
Accepted Solution

issue with cloudera management services after configuring TLS

Hi everybody

I just try to configure TLS level 1. after I restart the cloudera-scm-server i have this error and i can't have access to the manager web interface.

2017-07-18 15:02:32,325 WARN MainThread:org.mortbay.log: failed Server@4672853b: java.io.FileNotFoundException: /var/lib/cloudera-scm-server/.keystore (Aucun fichier ou dossier de ce type)
2017-07-18 15:02:32,326 ERROR MainThread:com.cloudera.server.cmf.Main: Failed to start Agent listener.
2017-07-18 15:02:32,333 ERROR MainThread:com.cloudera.server.cmf.Main: Server failed.
org.apache.avro.AvroRuntimeException: java.io.FileNotFoundException: /var/lib/cloudera-scm-server/.keystore (Aucun fichier ou dossier de ce type)
        at com.cloudera.server.common.HttpConnectorServer.start(HttpConnectorServer.java:89)
        at com.cloudera.server.cmf.Main.startAgentServer(Main.java:572)
        at com.cloudera.server.cmf.Main.startAvro(Main.java:483)
        at com.cloudera.server.cmf.Main.run(Main.java:620)
        at com.cloudera.server.cmf.Main.main(Main.java:217)
Caused by: java.io.FileNotFoundException: /var/lib/cloudera-scm-server/.keystore (Aucun fichier ou dossier de ce type)
        at java.io.FileInputStream.open(Native Method)
        at java.io.FileInputStream.<init>(FileInputStream.java:146)
        at org.mortbay.resource.FileResource.getInputStream(FileResource.java:275)
        at org.mortbay.jetty.security.SslSelectChannelConnector.createSSLContext(SslSelectChannelConnector.java:639)
        at org.mortbay.jetty.security.SslSelectChannelConnector.doStart(SslSelectChannelConnector.java:613)
        at org.mortbay.component.AbstractLifeCycle.start(AbstractLifeCycle.java:50)
        at org.mortbay.jetty.Server.doStart(Server.java:235)
        at org.mortbay.component.AbstractLifeCycle.start(AbstractLifeCycle.java:50)
        at com.cloudera.server.common.HttpConnectorServer.start(HttpConnectorServer.java:87)
        ... 4 more

thi is the tuto i use: https://www.cloudera.com/documentation/enterprise/5-11-x/topics/cm_sg_config_tls_encr.html#topic_2

 

how can i resove it?

Posts: 642
Topics: 3
Kudos: 118
Solutions: 67
Registered: ‎08-16-2016

Re: issue with cloudera management services after configuring TLS

Did you read and complete Step 0?

 

https://www.cloudera.com/documentation/enterprise/5-11-x/topics/cm_sg_tls_browser.html#xd_583c10bfdb...

 

This will have you create or obtain a server certificate and put it in a Java keystore.  If yes, is it located in the path listed in the exception, /var/lib/cloudera-scm-server/.keystore?  If yes, is it owned by the user that is trying to launch the cloudera-scm-server process, should be cloudera-scm?

Contributor
Posts: 40
Registered: ‎06-12-2017

Re: issue with cloudera management services after configuring TLS

thanks for your response. i perform level 0 using selfsigned certificate 

https://www.cloudera.com/documentation/enterprise/5-11-x/topics/sg_self_signed_tls.html#sg_self_sign...

my keystore is in /opt/cloudera/security/jks.

can i simply move it on /var/lib/cloudera-scm-server/.keystore?

 

Posts: 642
Topics: 3
Kudos: 118
Solutions: 67
Registered: ‎08-16-2016

Re: issue with cloudera management services after configuring TLS

Yes. Move it and ensure that the user running the cloudera-scm-server has read access to it.
Contributor
Posts: 40
Registered: ‎06-12-2017

Re: issue with cloudera management services after configuring TLS

thanks for your reply

after moving the keystore into .keystore i have a new error when i restart the manager

2017-07-19 14:46:50,695 ERROR MainThread:com.cloudera.server.cmf.Main: Failed to start Agent listener.
2017-07-19 14:46:50,695 ERROR MainThread:com.cloudera.server.cmf.Main: Server failed.
org.apache.avro.AvroRuntimeException: java.io.FileNotFoundException: /var/lib/cloudera-scm-server/.keystore (est un dossier)
        at com.cloudera.server.common.HttpConnectorServer.start(HttpConnectorServer.java:89)
        at com.cloudera.server.cmf.Main.startAgentServer(Main.java:572)
        at com.cloudera.server.cmf.Main.startAvro(Main.java:483)
        at com.cloudera.server.cmf.Main.run(Main.java:620)
        at com.cloudera.server.cmf.Main.main(Main.java:217)
Caused by: java.io.FileNotFoundException: /var/lib/cloudera-scm-server/.keystore (est un dossier)
        at java.io.FileInputStream.open(Native Method)
        at java.io.FileInputStream.<init>(FileInputStream.java:146)
        at org.mortbay.resource.FileResource.getInputStream(FileResource.java:275)
        at org.mortbay.jetty.security.SslSelectChannelConnector.createSSLContext(SslSelectChannelConnector.java:639)
        at org.mortbay.jetty.security.SslSelectChannelConnector.doStart(SslSelectChannelConnector.java:613)
        at org.mortbay.component.AbstractLifeCycle.start(AbstractLifeCycle.java:50)
        at org.mortbay.jetty.Server.doStart(Server.java:235)
        at org.mortbay.component.AbstractLifeCycle.start(AbstractLifeCycle.java:50)
        at com.cloudera.server.common.HttpConnectorServer.start(HttpConnectorServer.java:87)
        ... 4 more
Contributor
Posts: 40
Registered: ‎06-12-2017

Re: issue with cloudera management services after configuring TLS

i think i'm doing a confusion. 

do you have a procedure to help me?

Posts: 642
Topics: 3
Kudos: 118
Solutions: 67
Registered: ‎08-16-2016

Re: issue with cloudera management services after configuring TLS

I do not beyond the Cloudera docs. I have not seen the second error. The Google translation I got was FileNotFoundException (is a record).

To validate that the keystore is good can you run the below command.

keytool -v -list -keystore /var/lib/cloudera-scm-server/.keystore
Contributor
Posts: 40
Registered: ‎06-12-2017

Re: issue with cloudera management services after configuring TLS

when i enter the command:

Type Keystore : JKS
Fournisseur Keystore : SUN

Votre Keystore contient 1 entrée(s)

Nom d'alias : cmhost
Date de création : 17 juil. 2017
Type d'entrée : PrivateKeyEntry
Longueur de chaîne du certificat : 1

after i have restarted the service i have this error:

 

2017-07-20 09:03:24,082 ERROR MainThread:com.cloudera.server.cmf.Main: Failed to start Agent listener.
2017-07-20 09:03:24,083 ERROR MainThread:com.cloudera.server.cmf.Main: Server failed.
org.apache.avro.AvroRuntimeException: java.security.UnrecoverableKeyException: Password must not be null
        at com.cloudera.server.common.HttpConnectorServer.start(HttpConnectorServer.java:89)
        at com.cloudera.server.cmf.Main.startAgentServer(Main.java:572)
        at com.cloudera.server.cmf.Main.startAvro(Main.java:483)
        at com.cloudera.server.cmf.Main.run(Main.java:620)
        at com.cloudera.server.cmf.Main.main(Main.java:217)
Caused by: java.security.UnrecoverableKeyException: Password must not be null
        at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:124)
        at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:55)
        at java.security.KeyStore.getKey(KeyStore.java:792)
        at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:131)
        at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:68)
        at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:259)
        at org.mortbay.jetty.security.SslSelectChannelConnector.createSSLContext(SslSelectChannelConnector.java:651)
        at org.mortbay.jetty.security.SslSelectChannelConnector.doStart(SslSelectChannelConnector.java:613)
        at org.mortbay.component.AbstractLifeCycle.start(AbstractLifeCycle.java:50)
        at org.mortbay.jetty.Server.doStart(Server.java:235)
        at org.mortbay.component.AbstractLifeCycle.start(AbstractLifeCycle.java:50)
        at com.cloudera.server.common.HttpConnectorServer.start(HttpConnectorServer.java:87)
        ... 4 more
Contributor
Posts: 40
Registered: ‎06-12-2017

Re: issue with cloudera management services after configuring TLS

[ Edited ]

is there a way to cancel all the configuration i have done in cloudera manager? i want to restart the configuration since level 0

Posts: 642
Topics: 3
Kudos: 118
Solutions: 67
Registered: ‎08-16-2016

Re: issue with cloudera management services after configuring TLS

Aww I can work with password must not be null.  I assume that the keytool command did not prompt you for a password.  This means that the Java keystore and possible the private key are not password protected.  Most service require that a password be set.  The challenge here is whether you specified a password in the Cloudera Manager configs.  If yes, and you recall it, you can recreate the key and cert in the JKS with that password and bring CM up.

 

Note: the key and JKS password must be the same, CM assumes they are.

 

To revert, you will need to log into the CM database and manually modify it.  Let me track down those instructions.

Announcements