Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

HDFS rest encryption zone unable to find valid certification path

avatar
Rising Star

 

 

Cluster having the rest encryption enabled, I am able to create keys using "#hdfs key create mykey1" but not able to create encryption zone on hdfs directories.

Please find below steps for reference 

 

-bash-4.1$ hadoop key list
Listing keys for KeyProvider: KMSClientProvider[https://fqdn:16000/kms/v1/]
mykey2
mykey1 

 

I got below error when I am going to assign encryption zone to hdfs empty dir.

 

-sh-4.1$ hdfs crypto -createZone -keyName  mykey1 -path /user/xxxx/zone1

RemoteException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

1 ACCEPTED SOLUTION

avatar
Rising Star

Resolved: Enabled Kerberos Authentication for HTTP Web-Consoles (HDFS) and regenerated missing kerberos credentials

After changes done, I got below output.

-bash-4.1$ hdfs crypto -createZone -keyName mykey1 -path /user/xxxx/zone1

Added encryption zone /user/vgadade/zone1

-bash-4.1$

View solution in original post

3 REPLIES 3

avatar
Rising Star

Resolved: Enabled Kerberos Authentication for HTTP Web-Consoles (HDFS) and regenerated missing kerberos credentials

After changes done, I got below output.

-bash-4.1$ hdfs crypto -createZone -keyName mykey1 -path /user/xxxx/zone1

Added encryption zone /user/vgadade/zone1

-bash-4.1$

avatar
Cloudera Employee

Thanks for the solution. But do you know the true reason for enable HTTP Web-Consoles (HDFS)? 

avatar
Master Guru

@manuh,

 

I recommend you start a new thread since the answer to this one doesn't really make sense.

enabling kerberos for web consoles will not help resolve a PKIX error (which occurs when a client cannot find trust for the signer of the server certificate of the server to which the client is connecting).

 

Enabling kerberos for web-consoles will not solve TLS problems.  Something else that was done must have resolved the issue.

 

Enabling Kerberos Authentication for Web Consoles will require that any clients connecting to them use SPNEGO to authenticate.  This requires browser configuration and sometimes OS-level and krb5.conf configuration changes.

It is best to plan this move carefully and make sure you know how to configure clients to use SPNEGO if you are going to enable kerberos for web consoles.

 

If you are having any problems similar to what was described in this thread, please give us some background of what you are trying to do and what isn't working.

 

Thanks,

 

Ben