Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

After Ambari 2.5.2 upgrade not able to authenticate

Labels:
kalyandas831
Explorer

Created on ‎11-06-2017 05:22 AM - edited ‎08-18-2019 01:58 AM

After upgrading ambari from 2.2.2.0 to 2.5.2.0 and JDK 1.8, I am not able to authenticate KDC server. Kindly help me to resolve this issue.

Error logs

Failed to connect to KDC - Failed to communicate with the Active Directory at ldaps://node1:636: simple bind failed: node1:636 Make sure the server's SSL certificate or CA certificates have been imported into Ambari's truststore. Please enter admin principal and password.

Screen shoot attached

42460-pp-ambari.png

1,260 Views
0 Kudos
6 REPLIES 6

jsensharma
Super Mentor

Created ‎11-06-2017 05:28 AM

@Kalyan Das

Based on the error it looks like the KDC certificates are not present inside the ambari-server's truststore. There can be few reasons behind this like:

1. The certificate is actually not present inside the ambari truststore.

2. Another reason can be that the KDC certificates are changes/expired and hence you will need to import the KDC certificate again to ambari-server truststore. Using Ambari-Server "setup-security" option by choosing 

[5] Import certificate to truststore.

.

https://docs.hortonworks.com/HDPDocuments/Ambari-2.5.2.0/bk_ambari-security/content/set_up_truststor...

1,172 Views
0 Kudos

kalyandas831
Explorer

Created ‎11-06-2017 07:01 AM

@Jay Kumar SenSharma

HI Jay,

Ambari-server unable to authenticate either.

1) I have imported a fresh certificate from "ambari-server setup-security"

2) KDC certificate did not expire it has a validity up to 2019.

Can you please suggest some other options.

1,172 Views
0 Kudos

jsensharma
Super Mentor

Created ‎11-06-2017 07:14 AM

@Kalyan Das

Can you please double check the ambari truststore by listing the certs as following to see if the certificate of KDC is actually present there?

# $JAVA_HOME/bin/keytool -list -keystore /etc/ambari-server/ambari-server-truststore

.

If it is not there then you can import the KDC certificate to it using the following command:

# $JAVA_HOME/bin/keytool -import -file /tmp/kdc-server.crt -keystore /etc/ambari-server/ambari-server-truststore -alias kdc-server

.

Then restart Ambari Server.

1,172 Views
0 Kudos

kalyandas831
Explorer

Created ‎11-06-2017 09:38 AM

@Jay Kumar SenSharma

Hi Jay,

Here's is the ambari truststore list

[root@node1 # $JAVA_HOME/bin/keytool -list -keystore /etc/ambari-server/ambari-server-truststore

Enter keystore password:

Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry

ambari-server, Nov 6, 2017, trustedCertEntry,

Certificate fingerprint (SHA1): 35:E6:CC:35:1E:5B:82:68:83:4B:0C:EB:C2:A7:B1:58:FE:F9:29:8D

Kindly let me if I need to check anything.

1,172 Views
0 Kudos

jsensharma
Super Mentor

Created ‎11-06-2017 09:41 AM

@Kalyan Das

One keystore entry is default. Your keytool -list command says it has only one entry:

 Your keystore contains 1 entry

Which indicates that your ambari server keystore dos not have LDAP (KDC) entry in it.

You can run the "-list" command using "-v" Verbose option to confirm if your KDC entry is there or not?

[root@node1 # $JAVA_HOME/bin/keytool -list -v  -keystore /etc/ambari-server/ambari-server-truststore

.

1,172 Views
0 Kudos

kalyandas831
Explorer

Created ‎11-06-2017 11:48 AM

@Jay Kumar SenSharma

Hi Jay,

Now I have two entries. But no luck, the issue persists.

Is this related to permssion being revoked from writable container in AD?

[root@node1] # keytool -list -keystore ambari-server-truststore

Enter keystore password:

Keystore type: JKS

Keystore provider: SUN

Your keystore contains 2 entries

ambari-server, Nov 6, 2017, trustedCertEntry, Certificate fingerprint (SHA1): 35:E6:CC:35:1E:5B:82:68:83:4B:0C:EB:C2:A7:B1:58:FE:F9:29:8D

kdc-server, Nov 6, 2017, trustedCertEntry, Certificate fingerprint (SHA1): 12:58:59:3C:1C:68:14:61:CE:9A:CA:32:54:A6:B8:02:D0:A4:0F:25

1,172 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
Product Announcements
[ANNOUNCE] Cloudera ODBC Driver 2.6.16 for Apache Hive Released
Community Announcements
March 2023 Community Highlights
What's New @ Cloudera
Cloudera DataFlow Designer for self-service data flow development is now generally available to all CDP Public Cloud customers
What's New @ Cloudera
Cloudera Operational Database (COD) UI provides the JWT configuration details to connect to your HBase client
What's New @ Cloudera
Cloudera Operational Database (COD) UI allows storage type selection when creating an operational database
View More Announcements