Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

HDFS rest encryption zone unable to find valid certification path

Solved Go to solution

HDFS rest encryption zone unable to find valid certification path

Contributor

 

 

Cluster having the rest encryption enabled, I am able to create keys using "#hdfs key create mykey1" but not able to create encryption zone on hdfs directories.

Please find below steps for reference 

 

-bash-4.1$ hadoop key list
Listing keys for KeyProvider: KMSClientProvider[https://fqdn:16000/kms/v1/]
mykey2
mykey1 

 

I got below error when I am going to assign encryption zone to hdfs empty dir.

 

-sh-4.1$ hdfs crypto -createZone -keyName  mykey1 -path /user/xxxx/zone1

RemoteException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: HDFS rest encryption zone unable to find valid certification path

Contributor

Resolved: Enabled Kerberos Authentication for HTTP Web-Consoles (HDFS) and regenerated missing kerberos credentials

After changes done, I got below output.

-bash-4.1$ hdfs crypto -createZone -keyName mykey1 -path /user/xxxx/zone1

Added encryption zone /user/vgadade/zone1

-bash-4.1$

View solution in original post

3 REPLIES 3
Highlighted

Re: HDFS rest encryption zone unable to find valid certification path

Contributor

Resolved: Enabled Kerberos Authentication for HTTP Web-Consoles (HDFS) and regenerated missing kerberos credentials

After changes done, I got below output.

-bash-4.1$ hdfs crypto -createZone -keyName mykey1 -path /user/xxxx/zone1

Added encryption zone /user/vgadade/zone1

-bash-4.1$

View solution in original post

Highlighted

Re: HDFS rest encryption zone unable to find valid certification path

Cloudera Employee

Thanks for the solution. But do you know the true reason for enable HTTP Web-Consoles (HDFS)? 

Highlighted

Re: HDFS rest encryption zone unable to find valid certification path

Super Guru

@manuh,

 

I recommend you start a new thread since the answer to this one doesn't really make sense.

enabling kerberos for web consoles will not help resolve a PKIX error (which occurs when a client cannot find trust for the signer of the server certificate of the server to which the client is connecting).

 

Enabling kerberos for web-consoles will not solve TLS problems.  Something else that was done must have resolved the issue.

 

Enabling Kerberos Authentication for Web Consoles will require that any clients connecting to them use SPNEGO to authenticate.  This requires browser configuration and sometimes OS-level and krb5.conf configuration changes.

It is best to plan this move carefully and make sure you know how to configure clients to use SPNEGO if you are going to enable kerberos for web consoles.

 

If you are having any problems similar to what was described in this thread, please give us some background of what you are trying to do and what isn't working.

 

Thanks,

 

Ben

Don't have an account?
Coming from Hortonworks? Activate your account here