Support Questions

Find answers, ask questions, and share your expertise

Cannot run jobs with Kerberos after upgrading to JDK 1.8.

avatar
New Contributor

Hello, 

 

I have just upgraded the JDK version of my Cloudera 5.10 cluster from 1.7 to 1.8 and everything starts ok but when I try to run a job from Talend the following error appears in HDFS Name Node log:

 

2021-03-22 13:11:32,711 INFO org.apache.hadoop.ipc.Server: Socket Reader #1 for port 8020: readAndProcess from client 69.117.42.187 threw exception [javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: DES CBC mode with MD5 encryption type not in permitted_enctypes list)]]

 

If I go back to JDK 1.7 it runs perfectly.

I have tried with 1.8.201 and also with 1.8.91 (since this was one of the tested ones).

I think I have JCE and java.security correctly configured.

 

We do not want to allow DES CBC in the KDC since it a weak algorith.

 

Has it happened to anyone?

 

Thanks in advance,

 

Ángel

1 ACCEPTED SOLUTION

avatar
New Contributor

I have found the cause, it seems that Cloudera always use the /etc/krb5.conf file, if fact, if I changed this file to restrict the algoriths, Cloudera would not get up; but for jobs running inside Cloudera, it looks for /etc/krb5/krb5.conf file, once I created this file and add the following line to it, it started to work properly:

allow_weak_crypto = true 

 Note: It was needed to remove "MD5" from jdk.tls.disabledAlgorithms y java.security.

View solution in original post

3 REPLIES 3

avatar
Master Guru

@Aorosa As per my opinion you should check the kdc.conf file and then check for supported_enctypes and can use any Etype mentioned there. 


Cheers!
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

avatar
New Contributor

Hello, @GangWar , thank you for your answer.

 

The problem is that I do not know why it is trying to use this algorithm or where I can configure it to use another, I mean, using JDK 1.7 it worked withouth any further configuration, but upgrading to JDK 1.8 it did not; I should not have to accept weak algorithms like des-cbc-md5.

 

Tikets generated manually with kinit use aes256-cts-hmac-sha1-96 encription, I don't know if I can change this behaviour or if it is even configurable.

 

Thanks.

avatar
New Contributor

I have found the cause, it seems that Cloudera always use the /etc/krb5.conf file, if fact, if I changed this file to restrict the algoriths, Cloudera would not get up; but for jobs running inside Cloudera, it looks for /etc/krb5/krb5.conf file, once I created this file and add the following line to it, it started to work properly:

allow_weak_crypto = true 

 Note: It was needed to remove "MD5" from jdk.tls.disabledAlgorithms y java.security.