Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Enabling SSL/TLSv1 during sqoop import

avatar
Contributor

Hi,

 

I am trying to connect to MSSQL database.

The custom jar used is sqljdbc4.jar.

Using sql server authentication with username and pwd.

versions : Sqoop version: 1.4.6-cdh5.14.2

 

The MSSQL database I am trying to connect is SSL enabled and I am getting the below error while using the sqoop command

 

The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Server chose TLSv1, but that protocol version is not enabled or not supported by the client.".

 

Is there a solution for this ?

 

8 REPLIES 8

avatar
Super Collaborator

@sow 

 

Sqoop does not currently support TLS/SSL to Oracle, MySQL, or other databases.

Refer:https://docs.cloudera.com/documentation/enterprise/5-14-x/topics/cm_sg_hadoop_ssl_cm.html

avatar
Contributor

@paras 

 

Thank you ..

 

As a work around , I commented out the disabled algorithms property in "java.security" file and tried the sqoop command and that worked.

Just wanted to understand how does this work with sqoop  when there is a change made in java.security file ? 

 

The above is a temporary solution and I am looking for a solution where I can change the java security file property in run time in the sqoop import command.

This is because we cannot change the "java security" file on each node and affect other systems.

 

 

Please share your inputs.

Thanks in advance

 

avatar
Super Collaborator

@sow 

 

What is the mysql DB version being used here? Does this only support TLSV1 ?

You should consider upgrading the DB to the latest supported TLS versions.

TLSV1 is included in the disabled algorithms in the latest java versions by default . The option of disabling the algorithms from java.security hence works in the particular host once you update the java.security file. This is the only workaround here but not recommended since TLSv1 is deprecated.

 

Ref: https://dev.mysql.com/doc/refman/5.7/en/encrypted-connection-protocols-ciphers.html

 

avatar
Contributor

@paras 

 

Thank you for your inputs.

 

It is MSSQL database I am trying to fetch data from.( not mysql).

Upgrading production database would be a difficult option at the moment.

 

Is there a way in which I can change/override  the disabled algorithm property in java security file run time in sqoop command. ??

so that i dont have to  change the security file property on each node.

 

Thanks

avatar
Explorer

@sow 

Hi,

Did you find solution to your query "Is there a way in which I can change/override  the disabled algorithm property in java security file run time in sqoop command. ??"

Coz I'm in similar situation where I want to pass security provider in sqoop command.

 

Thanks

avatar
Explorer

Hi,

 

I got resolved my issue by using the below connect string ( this might help others):

sqoop import -D mapreduce.map.java.opts="-Djava.security.properties==file:///<unix_box_location>/java.security" --connect <connect_string> --username <username> --password <password> --table "TABLE" --delete-target-dir --target-dir "table.txt" -m1

 

Please note the following:

1. we have to specify 3 forward slash after file i.e. file:///

2. Need to distribute the java.security file across the cluster.

 

Thanks

avatar
Contributor

Hi @akv31 

 

Point no 1 : Did u create a new java security file with new properties you want to change and place it in all nodes  in a local directory or hdfs directory ??

 

avatar
Explorer

Yes, I created a new java.security file with required properties and placed in all nodes in local directory.