Created on 03-30-2016 02:10 AM - edited 09-16-2022 03:11 AM
Cluster having the rest encryption enabled, I am able to create keys using "#hdfs key create mykey1" but not able to create encryption zone on hdfs directories.
Please find below steps for reference
-bash-4.1$ hadoop key list
Listing keys for KeyProvider: KMSClientProvider[https://fqdn:16000/kms/v1/]
mykey2
mykey1
I got below error when I am going to assign encryption zone to hdfs empty dir.
-sh-4.1$ hdfs crypto -createZone -keyName mykey1 -path /user/xxxx/zone1
RemoteException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Created 04-04-2016 05:54 AM
Resolved: Enabled Kerberos Authentication for HTTP Web-Consoles (HDFS) and regenerated missing kerberos credentials
After changes done, I got below output.
-bash-4.1$ hdfs crypto -createZone -keyName mykey1 -path /user/xxxx/zone1
Added encryption zone /user/vgadade/zone1
-bash-4.1$
Created 04-04-2016 05:54 AM
Resolved: Enabled Kerberos Authentication for HTTP Web-Consoles (HDFS) and regenerated missing kerberos credentials
After changes done, I got below output.
-bash-4.1$ hdfs crypto -createZone -keyName mykey1 -path /user/xxxx/zone1
Added encryption zone /user/vgadade/zone1
-bash-4.1$
Created 07-20-2018 12:48 AM
Thanks for the solution. But do you know the true reason for enable HTTP Web-Consoles (HDFS)?
Created 07-20-2018 04:08 PM
I recommend you start a new thread since the answer to this one doesn't really make sense.
enabling kerberos for web consoles will not help resolve a PKIX error (which occurs when a client cannot find trust for the signer of the server certificate of the server to which the client is connecting).
Enabling kerberos for web-consoles will not solve TLS problems. Something else that was done must have resolved the issue.
Enabling Kerberos Authentication for Web Consoles will require that any clients connecting to them use SPNEGO to authenticate. This requires browser configuration and sometimes OS-level and krb5.conf configuration changes.
It is best to plan this move carefully and make sure you know how to configure clients to use SPNEGO if you are going to enable kerberos for web consoles.
If you are having any problems similar to what was described in this thread, please give us some background of what you are trying to do and what isn't working.
Thanks,
Ben