I am attempting to connect to Impala using LDAP and SSL, meaning I need to leverage AuthMech=4. In addition, I am using an HaProxy node as a load balancer for Impala. I have verified that I am able to connect to the Impala service from my edge node's command line via the haproxy node, so the load balancer appears to be working. However, when I attempt to connect to Impala via a JDBC connection, everything breaks down. I believe the exception is tied to the .jks file I am using, but am unsure of how to create it correctly.
My connection string looks similar to that found on page 8 of the Impala JDBC Doc: https://www.cloudera.com/documentation/other/connectors/impala-jdbc/2-5-5/Cloudera-JDBC-Driver-for-I...
Step 1 of the instructions for using this AUTHMECH level states:
Create a KeyStore containing your signed, trusted SSL certificate.
To me, this means that I need to convert the PEM files set in the below Impala config options into a .jks. Am I correct in this interpretation? And if so, what is the proper way do do this?
The excepion I am receiving is;
%% Invalidated: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA256]
ConnectionTest, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown
ConnectionTest, WRITE: TLSv1.2 Alert, length = 2
ConnectionTest, called closeSocket()
ConnectionTest, handling exception: javax.net.ssl.SSLHandshakeException: sun.sec
urity.validator.ValidatorException: PKIX path building failed: sun.security.prov
ider.certpath.SunCertPathBuilderException: unable to find valid certification pa
th to requested target
Keystores can be created with keytool. I believe you only need to have the server certificate in the keystore specified in the connection string. The CA file should already be in the truststore.