Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

HDFS rest encryption zone unable to find valid certification path

avatar
author-rank Vikas1
Rising Star

Created on ‎03-30-2016 02:10 AM - edited ‎09-16-2022 03:11 AM

 

 

Cluster having the rest encryption enabled, I am able to create keys using "#hdfs key create mykey1" but not able to create encryption zone on hdfs directories.

Please find below steps for reference 

 

-bash-4.1$ hadoop key list
Listing keys for KeyProvider: KMSClientProvider[https://fqdn:16000/kms/v1/]
mykey2
mykey1 

 

I got below error when I am going to assign encryption zone to hdfs empty dir.

 

-sh-4.1$ hdfs crypto -createZone -keyName  mykey1 -path /user/xxxx/zone1

RemoteException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

4,437 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank Vikas1
Rising Star

Created ‎04-04-2016 05:54 AM

Resolved: Enabled Kerberos Authentication for HTTP Web-Consoles (HDFS) and regenerated missing kerberos credentials

After changes done, I got below output.

-bash-4.1$ hdfs crypto -createZone -keyName mykey1 -path /user/xxxx/zone1

Added encryption zone /user/vgadade/zone1

-bash-4.1$

View solution in original post

4,418 Views
0 Kudos
3 REPLIES 3

avatar
author-rank Vikas1
Rising Star

Created ‎04-04-2016 05:54 AM

Resolved: Enabled Kerberos Authentication for HTTP Web-Consoles (HDFS) and regenerated missing kerberos credentials

After changes done, I got below output.

-bash-4.1$ hdfs crypto -createZone -keyName mykey1 -path /user/xxxx/zone1

Added encryption zone /user/vgadade/zone1

-bash-4.1$

4,419 Views
0 Kudos

avatar
manuh author-rank
Cloudera Employee

Created ‎07-20-2018 12:48 AM

Thanks for the solution. But do you know the true reason for enable HTTP Web-Consoles (HDFS)? 

3,022 Views
0 Kudos

avatar
author-rank bgooley author-rank
Master Guru

Created ‎07-20-2018 04:08 PM

@manuh,

 

I recommend you start a new thread since the answer to this one doesn't really make sense.

enabling kerberos for web consoles will not help resolve a PKIX error (which occurs when a client cannot find trust for the signer of the server certificate of the server to which the client is connecting).

 

Enabling kerberos for web-consoles will not solve TLS problems.  Something else that was done must have resolved the issue.

 

Enabling Kerberos Authentication for Web Consoles will require that any clients connecting to them use SPNEGO to authenticate.  This requires browser configuration and sometimes OS-level and krb5.conf configuration changes.

It is best to plan this move carefully and make sure you know how to configure clients to use SPNEGO if you are going to enable kerberos for web consoles.

 

If you are having any problems similar to what was described in this thread, please give us some background of what you are trying to do and what isn't working.

 

Thanks,

 

Ben

2,999 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements