Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

HBASE Thrift API failed at TLS hanshake

Labels:
avatar
author-rank Seaport
Expert Contributor

Created ‎12-17-2024 10:28 PM

This issue occurred right after I enabled TLS on my CDP Private Cloud Base 7.1.7. The client call to HBASE Thrift API failed at TLS hanshake.

Below is the connection test output with the handshake failure.
++
$ openssl s_client -connect mycompany.com:9191
CONNECTED(00000003)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 287 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
++

My Thrift API port is 9191 (not the default 9090). This port worked well before TLS was enabled.

There should be no certificate/ca issue because the Thrift (on the same node) UI over TLS works just fine. Below is the connection test output showing a successful handshake.

++
$ openssl s_client -connect mycompany.com:9095
CONNECTED(00000003)
depth=2 CN = MYROOTCA
...
---
Certificate chain
...
---
Server certificate
-----BEGIN CERTIFICATE-----
...
++

All my HBASE instances have green lights inside Cloudera Manager. I do not know where to look. It looks like something internal in SDX went wrong.

Any suggestions? Thank you.

Best regards,

51 Views
Tags (3)
2 REPLIES 2

avatar
author-rank Seaport
Expert Contributor

Created on ‎12-18-2024 10:36 AM - edited ‎12-18-2024 02:09 PM

It appeared that the Thrift Server did not start completely, although it has a green light in Cloudera Manager. Inside the log hbase-cmf-hbase-HBASETHRIFTSERVER-mynode.log.out, there is no entry to acknowledge the start like

++
org.eclipse.jetty.server.AbstractConnector: Started ServerConnector@180e6ac4{SSL, (ssl, http/1.1)}{0.0.0.0:9191}
++

But I have no idea why the starting ended up incomplete. Therer was no warning or error from either the log or the Cloudera Manager UI.

Thank you.

 

28 Views
0 Kudos

avatar
author-rank Seaport
Expert Contributor

Created ‎12-19-2024 11:22 AM

Additional connection tests show that port 9191 still works on unencrypted connections, although "TLS/SSL for HBase Thrift Server over HTTP" is enabled. Neither the log nor the Cloudera Manager UI gave any warnings or errors.

10 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
View More Announcements