Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

Cannot run jobs with Kerberos after upgrading to JDK 1.8.

Labels:
avatar
author-rank Aorosa
New Contributor

Created ‎04-04-2021 08:16 AM

Hello, 

 

I have just upgraded the JDK version of my Cloudera 5.10 cluster from 1.7 to 1.8 and everything starts ok but when I try to run a job from Talend the following error appears in HDFS Name Node log:

 

2021-03-22 13:11:32,711 INFO org.apache.hadoop.ipc.Server: Socket Reader #1 for port 8020: readAndProcess from client 69.117.42.187 threw exception [javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: DES CBC mode with MD5 encryption type not in permitted_enctypes list)]]

 

If I go back to JDK 1.7 it runs perfectly.

I have tried with 1.8.201 and also with 1.8.91 (since this was one of the tested ones).

I think I have JCE and java.security correctly configured.

 

We do not want to allow DES CBC in the KDC since it a weak algorith.

 

Has it happened to anyone?

 

Thanks in advance,

 

Ángel

2,082 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank Aorosa
New Contributor

Created ‎04-19-2021 08:22 AM

I have found the cause, it seems that Cloudera always use the /etc/krb5.conf file, if fact, if I changed this file to restrict the algoriths, Cloudera would not get up; but for jobs running inside Cloudera, it looks for /etc/krb5/krb5.conf file, once I created this file and add the following line to it, it started to work properly:

allow_weak_crypto = true

 Note: It was needed to remove "MD5" from jdk.tls.disabledAlgorithms y java.security.

View solution in original post

1,987 Views
0 Kudos
3 REPLIES 3

avatar
author-rank GangWar author-rank
Master Guru

Created ‎04-11-2021 01:40 AM

@Aorosa As per my opinion you should check the kdc.conf file and then check for supported_enctypes and can use any Etype mentioned there. 


Cheers!
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
2,041 Views
0 Kudos

avatar
author-rank Aorosa
New Contributor

Created ‎04-12-2021 05:19 AM

Hello, @GangWar , thank you for your answer.

 

The problem is that I do not know why it is trying to use this algorithm or where I can configure it to use another, I mean, using JDK 1.7 it worked withouth any further configuration, but upgrading to JDK 1.8 it did not; I should not have to accept weak algorithms like des-cbc-md5.

 

Tikets generated manually with kinit use aes256-cts-hmac-sha1-96 encription, I don't know if I can change this behaviour or if it is even configurable.

 

Thanks.

2,019 Views
0 Kudos

avatar
author-rank Aorosa
New Contributor

Created ‎04-19-2021 08:22 AM

I have found the cause, it seems that Cloudera always use the /etc/krb5.conf file, if fact, if I changed this file to restrict the algoriths, Cloudera would not get up; but for jobs running inside Cloudera, it looks for /etc/krb5/krb5.conf file, once I created this file and add the following line to it, it started to work properly:

allow_weak_crypto = true

 Note: It was needed to remove "MD5" from jdk.tls.disabledAlgorithms y java.security.

1,988 Views
0 Kudos
webinar banner
Announcements
Community Announcements
April 2024 Community Highlights
Community Announcements
January 2024 Community Highlights
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
View More Announcements
meetups banner