Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

HBASE Thrift API failed at TLS hanshake

Labels:
avatar
author-rank Seaport
Expert Contributor

Created ‎12-17-2024 10:28 PM

This issue occurred right after I enabled TLS on my CDP Private Cloud Base 7.1.7. The client call to HBASE Thrift API failed at TLS hanshake.

Below is the connection test output with the handshake failure.
++
$ openssl s_client -connect mycompany.com:9191
CONNECTED(00000003)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 287 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
++

My Thrift API port is 9191 (not the default 9090). This port worked well before TLS was enabled.

There should be no certificate/ca issue because the Thrift (on the same node) UI over TLS works just fine. Below is the connection test output showing a successful handshake.

++
$ openssl s_client -connect mycompany.com:9095
CONNECTED(00000003)
depth=2 CN = MYROOTCA
...
---
Certificate chain
...
---
Server certificate
-----BEGIN CERTIFICATE-----
...
++

All my HBASE instances have green lights inside Cloudera Manager. I do not know where to look. It looks like something internal in SDX went wrong.

Any suggestions? Thank you.

Best regards,

1,201 Views
Tags (3)
1 ACCEPTED SOLUTION

avatar
author-rank Seaport
Expert Contributor

Created ‎01-13-2025 11:17 AM

The issue was resolved after I checked the "Enable HBase Thrift Http Server" property in HBase configuration. It turned out that the TLS implementation for the thrift server on CDP HBase is done at http layer, not at the Transport layer. 

View solution in original post

1,002 Views
0 Kudos
3 REPLIES 3

avatar
author-rank Seaport
Expert Contributor

Created on ‎12-18-2024 10:36 AM - edited ‎12-18-2024 02:09 PM

It appeared that the Thrift Server did not start completely, although it has a green light in Cloudera Manager. Inside the log hbase-cmf-hbase-HBASETHRIFTSERVER-mynode.log.out, there is no entry to acknowledge the start like

++
org.eclipse.jetty.server.AbstractConnector: Started ServerConnector@180e6ac4{SSL, (ssl, http/1.1)}{0.0.0.0:9191}
++

But I have no idea why the starting ended up incomplete. Therer was no warning or error from either the log or the Cloudera Manager UI.

Thank you.

 

1,178 Views
0 Kudos

avatar
author-rank Seaport
Expert Contributor

Created ‎12-19-2024 11:22 AM

Additional connection tests show that port 9191 still works on unencrypted connections, although "TLS/SSL for HBase Thrift Server over HTTP" is enabled. Neither the log nor the Cloudera Manager UI gave any warnings or errors.

1,160 Views
0 Kudos

avatar
author-rank Seaport
Expert Contributor

Created ‎01-13-2025 11:17 AM

The issue was resolved after I checked the "Enable HBase Thrift Http Server" property in HBase configuration. It turned out that the TLS implementation for the thrift server on CDP HBase is done at http layer, not at the Transport layer. 

1,003 Views
0 Kudos
Announcements
Community Announcements
June 2021 Community Highlights
Community Announcements
August 2025 Community Highlights
Community Announcements
July 2025 Community Highlights
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
Community Announcements
Join Us at CommunityOverCode Asia 2025: Exploring the Future...
View More Announcements