Support Questions
Find answers, ask questions, and share your expertise

Error connecting tableau to Knox Hive

I'm getting error below trying to connect tableau to hive thru knox on a OSX. The same connection works from unixODBC + Excel, but not from tableau.

Error I get is:

[Hortonworks][Hardy] (34) Error from server: authorize: cannot authorize peer.

Here my tableau settings:


Any idea on how to troubleshoot it?


It's related to "Allow Common Name Host Name Mismatch", I works if I used same hostname from knox certificate.

Does anyone knows how to add that option on tableau? I can find it on ODBC settings, but not on tableau. Or where to change it by default on odbc driver?

Cloudera Employee

Hi @Guilherme Braccialli

Late answer to your question but I'm hoping it will help others.

The issue at hand is that the CN of the KNOX certificate does not match the name of the machine connected.

This often happens when the KNOX TSL Certificate was issued against an internal name, but you're connecting to it from an external connection with a different Name. The CN name of the certificate must match the DNS name of the machine connecting to...

For example (mismatch) :


Most ODBC connection (ex. windows odbc) allow you to ignore this with settings such as " ignore Common Name mismatch"

Unfortunately Tableau doesn't let you do that...

Two solutions :

1. Re create your KNOX gateway certificate ( Preferred )

## 1. Regenerate self signed certificate
#   $gateway-hostname is the FQDN of the Knox Gateway
#   $knox_dir is the knox install dir (usually /usr/hdp/current/knox-server/)
cd $knox_dir   
./bin/ create-cert --hostname $gateway-hostname 

## 2. Export the certificate in PEM format:
keytool -export -alias gateway-identity -rfc -file data/security/keystores/knox.crt -keystore data/security/keystores/gateway.jks

## 3. Restart Knox server 
./bin/ stop
./bin/ start

2. Modify the hostname of the KNOX server on your machine ( modify /etc/hosts )

The idea is to "trick" your browser into thinking it's connected to the correct machine

On MacOS/ Linux machine :

## 1. get IP of the knox gateway 
nslookup $KnowGatewayFQDN

## 2. modify /etc/hosts
sudo vim /etc/hosts 

# insert 
$KnoxGatewayIP(ex. XX.XX.XX.XX)  $ExpectedCN Name of Knox Gateway