Support Questions

Find answers, ask questions, and share your expertise
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

Connecting to Impala with LDAP and SSL




I am attempting to connect to Impala using LDAP and SSL, meaning I need to leverage AuthMech=4. In addition, I am using an HaProxy node as a load balancer for Impala. I have verified that I am able to connect to the Impala service from my edge node's command line via the haproxy node, so the load balancer appears to  be working. However, when I attempt to connect to Impala via a JDBC connection, everything breaks down. I believe the exception is tied to the .jks file I am using, but am unsure of how to create it correctly.


My connection string looks similar to that found on page 8 of the Impala JDBC Doc:



Step 1 of the instructions for using this AUTHMECH level states:


 Create a KeyStore containing your signed, trusted SSL certificate.



To me, this means that I need to convert the PEM files set in the below Impala config options into a .jks. Am I correct in this interpretation? And if so, what is the proper way do do this?


  • Impala TLS/SSL Server Certificate File (PEM Format)
  • Impala TLS/SSL Server Private Key File (PEM Format)
  • Impala TLS/SSL CA Certificate

The excepion I am receiving is;


%% Invalidated: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA256]
ConnectionTest, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown
ConnectionTest, WRITE: TLSv1.2 Alert, length = 2
ConnectionTest, called closeSocket()
ConnectionTest, handling exception: sun.sec
urity.validator.ValidatorException: PKIX path building failed:
ider.certpath.SunCertPathBuilderException: unable to find valid certification pa
th to requested target



Hi mtrepanier,


Keystores can be created with keytool. I believe you only need to have the server certificate in the keystore specified in the connection string. The CA file should already be in the truststore.

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.