Support Questions
Find answers, ask questions, and share your expertise

Cannot run jobs with Kerberos after upgrading to JDK 1.8.

Solved Go to solution

Cannot run jobs with Kerberos after upgrading to JDK 1.8.

New Contributor

Hello, 

 

I have just upgraded the JDK version of my Cloudera 5.10 cluster from 1.7 to 1.8 and everything starts ok but when I try to run a job from Talend the following error appears in HDFS Name Node log:

 

2021-03-22 13:11:32,711 INFO org.apache.hadoop.ipc.Server: Socket Reader #1 for port 8020: readAndProcess from client 69.117.42.187 threw exception [javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: DES CBC mode with MD5 encryption type not in permitted_enctypes list)]]

 

If I go back to JDK 1.7 it runs perfectly.

I have tried with 1.8.201 and also with 1.8.91 (since this was one of the tested ones).

I think I have JCE and java.security correctly configured.

 

We do not want to allow DES CBC in the KDC since it a weak algorith.

 

Has it happened to anyone?

 

Thanks in advance,

 

Ángel

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Cannot run jobs with Kerberos after upgrading to JDK 1.8.

New Contributor

I have found the cause, it seems that Cloudera always use the /etc/krb5.conf file, if fact, if I changed this file to restrict the algoriths, Cloudera would not get up; but for jobs running inside Cloudera, it looks for /etc/krb5/krb5.conf file, once I created this file and add the following line to it, it started to work properly:

allow_weak_crypto = true 

 Note: It was needed to remove "MD5" from jdk.tls.disabledAlgorithms y java.security.

View solution in original post

3 REPLIES 3

Re: Cannot run jobs with Kerberos after upgrading to JDK 1.8.

Master Collaborator

@Aorosa As per my opinion you should check the kdc.conf file and then check for supported_enctypes and can use any Etype mentioned there. 


Cheers!
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Re: Cannot run jobs with Kerberos after upgrading to JDK 1.8.

New Contributor

Hello, @GangWar , thank you for your answer.

 

The problem is that I do not know why it is trying to use this algorithm or where I can configure it to use another, I mean, using JDK 1.7 it worked withouth any further configuration, but upgrading to JDK 1.8 it did not; I should not have to accept weak algorithms like des-cbc-md5.

 

Tikets generated manually with kinit use aes256-cts-hmac-sha1-96 encription, I don't know if I can change this behaviour or if it is even configurable.

 

Thanks.

Re: Cannot run jobs with Kerberos after upgrading to JDK 1.8.

New Contributor

I have found the cause, it seems that Cloudera always use the /etc/krb5.conf file, if fact, if I changed this file to restrict the algoriths, Cloudera would not get up; but for jobs running inside Cloudera, it looks for /etc/krb5/krb5.conf file, once I created this file and add the following line to it, it started to work properly:

allow_weak_crypto = true 

 Note: It was needed to remove "MD5" from jdk.tls.disabledAlgorithms y java.security.

View solution in original post