Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Error connecting tableau to Knox Hive

Highlighted

Error connecting tableau to Knox Hive

I'm getting error below trying to connect tableau to hive thru knox on a OSX. The same connection works from unixODBC + Excel, but not from tableau.

Error I get is:

[Hortonworks][Hardy] (34) Error from server: authorize: cannot authorize peer.

Here my tableau settings:

8423-screen-shot-2016-10-11-at-191326.png

Any idea on how to troubleshoot it?

2 REPLIES 2
Highlighted

Re: Error connecting tableau to Knox Hive

It's related to "Allow Common Name Host Name Mismatch", I works if I used same hostname from knox certificate.

Does anyone knows how to add that option on tableau? I can find it on ODBC settings, but not on tableau. Or where to change it by default on odbc driver?

Re: Error connecting tableau to Knox Hive

Cloudera Employee

Hi @Guilherme Braccialli

Late answer to your question but I'm hoping it will help others.


The issue at hand is that the CN of the KNOX certificate does not match the name of the machine connected.

This often happens when the KNOX TSL Certificate was issued against an internal name, but you're connecting to it from an external connection with a different Name. The CN name of the certificate must match the DNS name of the machine connecting to...

For example (mismatch) :

64446-screen-shot-2018-03-02-at-154643.png

Most ODBC connection (ex. windows odbc) allow you to ignore this with settings such as " ignore Common Name mismatch"

Unfortunately Tableau doesn't let you do that...

Two solutions :

1. Re create your KNOX gateway certificate ( Preferred )

## 1. Regenerate self signed certificate
#Where 
#   $gateway-hostname is the FQDN of the Knox Gateway
#   $knox_dir is the knox install dir (usually /usr/hdp/current/knox-server/)
 
cd $knox_dir   
./bin/knoxcli.sh create-cert --hostname $gateway-hostname 

## 2. Export the certificate in PEM format:
keytool -export -alias gateway-identity -rfc -file data/security/keystores/knox.crt -keystore data/security/keystores/gateway.jks

## 3. Restart Knox server 
./bin/gateway.sh stop
./bin/gateway.sh start

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.4/bk_security/content/knox_self_signed_certif...

2. Modify the hostname of the KNOX server on your machine ( modify /etc/hosts )

The idea is to "trick" your browser into thinking it's connected to the correct machine

On MacOS/ Linux machine :

## 1. get IP of the knox gateway 
nslookup $KnowGatewayFQDN

## 2. modify /etc/hosts
sudo vim /etc/hosts 

# insert 
$KnoxGatewayIP(ex. XX.XX.XX.XX)  $ExpectedCN Name of Knox Gateway 
Don't have an account?
Coming from Hortonworks? Activate your account here