Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

How to invoke Cloudera Manager REST API Web services for Impala from Java client. Server is kerbros

How to invoke Cloudera Manager REST API Web services for Impala from Java client. Server is kerbros

Hi Friends,
I am trying to invoke Cloudera Manager Rest Web services from Java client. My cluster/server is kerbrised and SSL enabled i.e. HTTPS. Cloudera Manager required user/pass to login.
now I am trying to invoke rest (web services) api from Java client. But It is asking for certificate. 

Below is the Java client code - 

private static Subject getSubject() throws LoginException {
LoginContext loginContext = new LoginContext("", null, new PasswordCallbackHandler("passwordKerberos"),
new KerberosConfiguration("Test@Test.com"));
loginContext.login();
return loginContext.getSubject();
}

public void testWS() throws Exception {

Subject subject = getSubject();
HttpsURLConnection connection = null;
boolean isSecured = true;


final URL url = new URL("https://host:7183/api/v15/clusters/Cluster 1/services/impala/impalaQueries?from=2018-04-02");
{


connection = (HttpsURLConnection) Subject.doAs(subject, new PrivilegedExceptionAction<HttpsURLConnection>() {

@Override
public HttpsURLConnection run() throws Exception {
AuthenticatedURL.Token token = new AuthenticatedURL.Token();

return (HttpsURLConnection) new AuthenticatedURL().openConnection(url, token);
}

});
}
/*connection.setDoOutput(true);
connection.setDoInput(true);
String encoding = DatatypeConverter.printBase64Binary("userName:pass".getBytes("UTF-8"));
connection.setRequestProperty("Authorization: Basic ",encoding);
*/ connection.setRequestProperty(ACCEPT, APPLICATION_XML);
connection.setRequestMethod(GET);

int responseCode = connection.getResponseCode();
if (responseCode == 200) {
String result = getString(connection.getInputStream());
connection.disconnect();
System.out.println(result);

}

}


But I am getting below error - 


Exception in thread "main" java.security.PrivilegedActionException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at com.cloudera.example.Test1.testWS(Test1.java:153)
at com.cloudera.example.Test1.main(Test1.java:131)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.jav...)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:186)
at org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:232)
at com.cloudera.example.Test1$2.run(Test1.java:159)
at com.cloudera.example.Test1$2.run(Test1.java:1)
... 4 more
Caused by: java.security.cert.CertificateException: No subject alternative names present
at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:144)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:93)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:200)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
... 18 more

What is the problem. Do I need to generate the certificate on my machine(from where I am making REST call)?
How can I generate the certificate on my machine?

Is there any other way to invoke Cloudera Manager Rest API web services?

I want to consume stats of Impala Query in Java. 


 

2 REPLIES 2
Highlighted

Re: How to invoke Cloudera Manager REST API Web services for Impala from Java client. Server is kerb

Community Manager

Hi @PranayMunshi ,

 

I did a quick research and found this thread in stackoverflow:

https://stackoverflow.com/questions/19540289/how-to-fix-the-java-security-cert-certificateexception-...

 

Hope this may help out in your situation.

 

Cheers,

Li

Li Wang, Technical Resolution Manager


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Learn more about the Cloudera Community:

Terms of Service

Community Guidelines

How to use the forum

Re: How to invoke Cloudera Manager REST API Web services for Impala from Java client. Server is kerb

Expert Contributor

Second lwang's answer, suggest to start your JVM with 

-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

see https://medium.com/@sajithekanayaka/solved-java-security-cert-certificateexception-no-subject-altern...

 

Alternatively recreate your CM server certificate with SAN extension using -ext san=... option, see shown in documenation