Support Questions
Find answers, ask questions, and share your expertise

How to configure F5 (SSL) with KNOX?

How to configure F5 (SSL) with KNOX?

New Contributor

We put F5 in front of two KNOX nodes. We use SSL from client to F5 and no SSL from F5 to KNOX nodes. We are able to test KNOX node bypassing F5 with beeline: !connect jdbc:hive2://cvglqknoxgw01:8443/infa_pushdown;transportMode=http;httpPath=gateway/default/hive But a similar command failed when using F5 and SSL: !connect jdbc:hive2://knoxgw-cert.td.afg:443/infa_pushdown;transportMode=http;ssl=true;sslTrustStore=/app/hadoop/certificates/gateway.jks;trustStorePassword=XXXXXX;httpPath=gateway/default/hive Enter username for jdbc:hive2://knoxgw-cert.td.afg:443/infa_pushdown;transportMode=http;ssl=true;sslTrustStore=/app/hadoop/certificates/gateway.jks;trustStorePassword=XXXXX;httpPath=gateway/default/hive: testuser Enter password for jdbc:hive2://knoxgw-cert.td.afg:443/infa_pushdown;transportMode=http;ssl=true;sslTrustStore=/app/hadoop/certificates/gateway.jks;trustStorePassword=XXXXX;httpPath=gateway/default/hive: ************* 17/03/07 15:19:43 [main]: ERROR jdbc.HiveConnection: Error opening session org.apache.thrift.transport.TTransportException: javax.net.ssl.SSLProtocolException: java.io.IOException: Duplicate extensions not allowed at org.apache.thrift.transport.THttpClient.flushUsingHttpClient(THttpClient.java:297) at org.apache.thrift.transport.THttpClient.flush(THttpClient.java:313) at org.apache.thrift.TServiceClient.sendBase(TServiceClient.java:73) Caused by: javax.net.ssl.SSLProtocolException: java.io.IOException: Duplicate extensions not allowed at sun.security.ssl.HandshakeMessage$CertificateMsg.<init>(HandshakeMessage.java:457) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) Caused by: java.security.cert.CertificateParsingException: java.io.IOException: Duplicate extensions not allowed at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169) at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1806) at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:195) at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:100) at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339) at sun.security.ssl.HandshakeMessage$CertificateMsg.<init>(HandshakeMessage.java:454) ... 51 more Caused by: java.io.IOException: Duplicate extensions not allowed at sun.security.x509.CertificateExtensions.parseExtension(CertificateExtensions.java:115) at sun.security.x509.CertificateExtensions.init(CertificateExtensions.java:88) at sun.security.x509.CertificateExtensions.<init>(CertificateExtensions.java:78) at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:702) at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:167) ... 56 more Error: Could not establish connection to jdbc:hive2://knoxgw-cert.td.afg:443/infa_pushdown;transportMode=http;ssl=true;sslTrustStore=/app/hadoop/certificates/gateway.jks;trustStorePassword=pa55w0rd;httpPath=gateway/default/hive: javax.net.ssl.SSLProtocolException: java.io.IOException: Duplicate extensions not allowed (state=08S01,code=0)

I would appreciate if anyone could help providing some instructions on configuring F5 (SSL) with KNOX.

Thanks,

Ping

1 REPLY 1

Re: How to configure F5 (SSL) with KNOX?

Contributor