Support Questions
Find answers, ask questions, and share your expertise
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Connecting to Impala with LDAP and SSL


Connecting to Impala with LDAP and SSL




I am attempting to connect to Impala using LDAP and SSL, meaning I need to leverage AuthMech=4. In addition, I am using an HaProxy node as a load balancer for Impala. I have verified that I am able to connect to the Impala service from my edge node's command line via the haproxy node, so the load balancer appears to  be working. However, when I attempt to connect to Impala via a JDBC connection, everything breaks down. I believe the exception is tied to the .jks file I am using, but am unsure of how to create it correctly.


My connection string looks similar to that found on page 8 of the Impala JDBC Doc:



Step 1 of the instructions for using this AUTHMECH level states:


 Create a KeyStore containing your signed, trusted SSL certificate.



To me, this means that I need to convert the PEM files set in the below Impala config options into a .jks. Am I correct in this interpretation? And if so, what is the proper way do do this?


  • Impala TLS/SSL Server Certificate File (PEM Format)
  • Impala TLS/SSL Server Private Key File (PEM Format)
  • Impala TLS/SSL CA Certificate

The excepion I am receiving is;


%% Invalidated: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA256]
ConnectionTest, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown
ConnectionTest, WRITE: TLSv1.2 Alert, length = 2
ConnectionTest, called closeSocket()
ConnectionTest, handling exception: sun.sec
urity.validator.ValidatorException: PKIX path building failed:
ider.certpath.SunCertPathBuilderException: unable to find valid certification pa
th to requested target


Re: Connecting to Impala with LDAP and SSL


Hi mtrepanier,


Keystores can be created with keytool. I believe you only need to have the server certificate in the keystore specified in the connection string. The CA file should already be in the truststore.

Don't have an account?
Coming from Hortonworks? Activate your account here