Support Questions

hfaouaz · ‎11-05-2015

It seem that invoking the test from the KNox repository in Ranger failes due to miss path to the cert.

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

rmani · ‎11-05-2015

In HDP 2.3 you can do the following for it

cd $GATEWAY_HOME/data/security/keystores 

keytool -exportcert -alias gateway-identity -keystore gateway.jks -file knox.crt

no password

Copy knox.crt file onto machine running Ranger admin to a working directory, /usr/hdp/current/ranger-admin/

cd /usr/hdp/current/ranger-admin
cp /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.91-2.6.2.1.el7_1.x86_64/jre/lib/security/cacerts cacertswithknox
keytool -import -trustcacerts -file knox.crt -alias knox -keystore cacertswithknox

password: changeit

cd /usr/hdp/current/ranger-admin/ews

Add following to /usr/hdp/current/ranger-admin/ews/ranger-admin-services.sh

-Djavax.net.ssl.trustStore=/usr/hdp/current/ranger-admin/cacertswithknox

in

start() {
        java -Dproc_rangeradmin ${JAVA_OPTS} -Dlogdir=${XAPOLICYMGR_EWS_DIR}/logs/ -Dcatalina.base=${XAPOLICYMGR_EWS_DIR} -cp "${XAPOLICYMGR_EWS_DIR}/webapp/WEB-INF/classes/conf:${XAPOLICYMGR_EWS_DIR}/lib/*:${RANGER_JAAS_LIB_DIR}/*:${RANGER_JAAS_CONF_DIR}:${JAVA_HOME}/lib/*:$CLASSPATH" org.apache.ranger.server.tomcat.EmbeddedServer > logs/catalina.out 2>&1 &

        echo "Apache Ranger Admin has started."
}

restart ranger-admin

View solution in original post

rmani · ‎11-05-2015

Yes that is right , you need to add self-signed cert into Ranger keystore for Test connection and lookup functionality to work

rmani · ‎11-05-2015

In HDP 2.3 you can do the following for it

cd $GATEWAY_HOME/data/security/keystores 

keytool -exportcert -alias gateway-identity -keystore gateway.jks -file knox.crt

no password

Copy knox.crt file onto machine running Ranger admin to a working directory, /usr/hdp/current/ranger-admin/

cd /usr/hdp/current/ranger-admin
cp /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.91-2.6.2.1.el7_1.x86_64/jre/lib/security/cacerts cacertswithknox
keytool -import -trustcacerts -file knox.crt -alias knox -keystore cacertswithknox

password: changeit

cd /usr/hdp/current/ranger-admin/ews

Add following to /usr/hdp/current/ranger-admin/ews/ranger-admin-services.sh

-Djavax.net.ssl.trustStore=/usr/hdp/current/ranger-admin/cacertswithknox

in

start() {
        java -Dproc_rangeradmin ${JAVA_OPTS} -Dlogdir=${XAPOLICYMGR_EWS_DIR}/logs/ -Dcatalina.base=${XAPOLICYMGR_EWS_DIR} -cp "${XAPOLICYMGR_EWS_DIR}/webapp/WEB-INF/classes/conf:${XAPOLICYMGR_EWS_DIR}/lib/*:${RANGER_JAAS_LIB_DIR}/*:${RANGER_JAAS_CONF_DIR}:${JAVA_HOME}/lib/*:$CLASSPATH" org.apache.ranger.server.tomcat.EmbeddedServer > logs/catalina.out 2>&1 &

        echo "Apache Ranger Admin has started."
}

restart ranger-admin

hfaouaz · ‎11-05-2015

thanks @rmani@hortonworks.com

VR46 · ‎05-13-2016

Thanks @Ramesh Mani

pagrawa · ‎08-30-2016

if above steps don't work then please add/update the value of property 'ranger.truststore.file' and 'ranger.truststore.password' in the ranger-admin module according to your environment :

According to steps mentioned above sample value would be :

ranger.truststore.file=/usr/hdp/current/ranger-admin/cacertswithknox
ranger.truststore.password=changeit

Cloudera Community

Support Questions

Do we need to add Knox self-signed cert into Ranger keystore?