Created 04-04-2021 08:16 AM
Hello,
I have just upgraded the JDK version of my Cloudera 5.10 cluster from 1.7 to 1.8 and everything starts ok but when I try to run a job from Talend the following error appears in HDFS Name Node log:
2021-03-22 13:11:32,711 INFO org.apache.hadoop.ipc.Server: Socket Reader #1 for port 8020: readAndProcess from client 69.117.42.187 threw exception [javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: DES CBC mode with MD5 encryption type not in permitted_enctypes list)]]
If I go back to JDK 1.7 it runs perfectly.
I have tried with 1.8.201 and also with 1.8.91 (since this was one of the tested ones).
I think I have JCE and java.security correctly configured.
We do not want to allow DES CBC in the KDC since it a weak algorith.
Has it happened to anyone?
Thanks in advance,
Ángel
Created 04-19-2021 08:22 AM
I have found the cause, it seems that Cloudera always use the /etc/krb5.conf file, if fact, if I changed this file to restrict the algoriths, Cloudera would not get up; but for jobs running inside Cloudera, it looks for /etc/krb5/krb5.conf file, once I created this file and add the following line to it, it started to work properly:
allow_weak_crypto = true
Note: It was needed to remove "MD5" from jdk.tls.disabledAlgorithms y java.security.
Created 04-11-2021 01:40 AM
@Aorosa As per my opinion you should check the kdc.conf file and then check for supported_enctypes and can use any Etype mentioned there.
Created 04-12-2021 05:19 AM
Hello, @GangWar , thank you for your answer.
The problem is that I do not know why it is trying to use this algorithm or where I can configure it to use another, I mean, using JDK 1.7 it worked withouth any further configuration, but upgrading to JDK 1.8 it did not; I should not have to accept weak algorithms like des-cbc-md5.
Tikets generated manually with kinit use aes256-cts-hmac-sha1-96 encription, I don't know if I can change this behaviour or if it is even configurable.
Thanks.
Created 04-19-2021 08:22 AM
I have found the cause, it seems that Cloudera always use the /etc/krb5.conf file, if fact, if I changed this file to restrict the algoriths, Cloudera would not get up; but for jobs running inside Cloudera, it looks for /etc/krb5/krb5.conf file, once I created this file and add the following line to it, it started to work properly:
allow_weak_crypto = true
Note: It was needed to remove "MD5" from jdk.tls.disabledAlgorithms y java.security.