- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Float this Question for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
How to turn off 2 way SSL authentication for smartsense agent?
- Labels:
-
Hortonworks SmartSense
Created 05-02-2016 03:23 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to restart my hst-agent, but it repeatedly fails with below error message:
ERROR 2016-05-02 03:08:20,978 security.py:78 - Two-way SSL authentication failed. Ensure that server and agent certificates were signed by the same CA and restart the agent. In order to receive a new agent certificate, remove existing certificate file from keys directory. As a workaround you can turn off two-way SSL authentication in agent configuration(hst-agent.ini) Exiting.. ERROR 2016-05-02 03:08:20,979 security.py:86 - [Errno 8] _ssl.c:492: EOF occurred in violation of protocol
I even tried deleting all the hst-agent keys bit still to no avail.
I am trying to setup the smartsense on my HDP 2.4 VM
Created 05-02-2016 06:25 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This error occurs because the md5 digest became deprecated in favor of sha256 in recent versions of Java. It is fixed in the next SmartSense HST release. The workaround is somewhat complicated, so we recommend you open a support case for assistance. If you wish to attempt it yourself, here is the process...
WORKAROUND: Change the default digest to “sha256” instead of “md5” and then regenerate all certificates. Follow these steps:
- Use Ambari to stop the SmartSense service (all components)
- Backup the old server keys on the HST Server host: cp -rp /var/lib/smartsense/hst-server/keys /var/lib/smartsense/hst-server/keys.backup
- On the HST Server host, clean out the old keys:i. rm -f /var/lib/smartsense/hst-server/keys/ca.key
- rm -f /var/lib/smartsense/hst-server/keys/*.csr
- rm -f /var/lib/smartsense/hst-server/keys/*.crt
- rm -rf /var/lib/smartsense/hst-server/keys/db/*
- mkdir /var/lib/smartsense/hst-server/keys/db/newcerts
- touch /var/lib/smartsense/hst-server/keys/db/index.txt
- echo 01 > /var/lib/smartsense/hst-server/keys/db/serial
- Edit file /var/lib/smartsense/hst-server/keys/ca.config and change line "default_md = md5" to "default_md = sha256"
- On all HST Agent hosts, clean out the old keys: rm -f /var/lib/smartsense/hst-agent/keys/*
- If using the HST Gateway:
- Stop the gateway: hst gateway stop
- Repeat steps 3 & 4 for the files under /var/lib/smartsense/hst-gateway/keys/ on the HST Gateway host
- Repeat step 5 for the files under /var/lib/smartsense/hst-gateway-client/keys on all HST Server host(s)
- Start the gateway: hst gateway start
- Use Ambari to start the SmartSense service (all components)
- Verify both Ambari SmartSense service and SmartSense view shows correct number of agents registered.
NOTE: Turning off two-way SSL is NOT recommended (the error message has been improved in newer versions of HST), and the issue occurs on hosts with following JDK versions or newer:
JDK Family | Versions |
Oracle | 1.8.0_71 |
Oracle | 1.7.0_95 |
Oracle | 1.6.0_111 |
OpenJDK | 1.7.0_45 |
OpenJDK | 1.8.0_40 |
Created 05-02-2016 06:25 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This error occurs because the md5 digest became deprecated in favor of sha256 in recent versions of Java. It is fixed in the next SmartSense HST release. The workaround is somewhat complicated, so we recommend you open a support case for assistance. If you wish to attempt it yourself, here is the process...
WORKAROUND: Change the default digest to “sha256” instead of “md5” and then regenerate all certificates. Follow these steps:
- Use Ambari to stop the SmartSense service (all components)
- Backup the old server keys on the HST Server host: cp -rp /var/lib/smartsense/hst-server/keys /var/lib/smartsense/hst-server/keys.backup
- On the HST Server host, clean out the old keys:i. rm -f /var/lib/smartsense/hst-server/keys/ca.key
- rm -f /var/lib/smartsense/hst-server/keys/*.csr
- rm -f /var/lib/smartsense/hst-server/keys/*.crt
- rm -rf /var/lib/smartsense/hst-server/keys/db/*
- mkdir /var/lib/smartsense/hst-server/keys/db/newcerts
- touch /var/lib/smartsense/hst-server/keys/db/index.txt
- echo 01 > /var/lib/smartsense/hst-server/keys/db/serial
- Edit file /var/lib/smartsense/hst-server/keys/ca.config and change line "default_md = md5" to "default_md = sha256"
- On all HST Agent hosts, clean out the old keys: rm -f /var/lib/smartsense/hst-agent/keys/*
- If using the HST Gateway:
- Stop the gateway: hst gateway stop
- Repeat steps 3 & 4 for the files under /var/lib/smartsense/hst-gateway/keys/ on the HST Gateway host
- Repeat step 5 for the files under /var/lib/smartsense/hst-gateway-client/keys on all HST Server host(s)
- Start the gateway: hst gateway start
- Use Ambari to start the SmartSense service (all components)
- Verify both Ambari SmartSense service and SmartSense view shows correct number of agents registered.
NOTE: Turning off two-way SSL is NOT recommended (the error message has been improved in newer versions of HST), and the issue occurs on hosts with following JDK versions or newer:
JDK Family | Versions |
Oracle | 1.8.0_71 |
Oracle | 1.7.0_95 |
Oracle | 1.6.0_111 |
OpenJDK | 1.7.0_45 |
OpenJDK | 1.8.0_40 |
Created 05-03-2016 02:20 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also, you can enable the md5 algorithm from your java security by changing the security setting from the file
JAVA_HOME/lib/security/java.security
and deleting the md5 algorithm from the line
jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024 jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
This worked for me - but when you do this, please be mindful of the security settings that you are impacting your machine.
Created 12-07-2016 05:03 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ,
I have the a similar issue but appears when we reboot the server.
07 Dec 2016 06:11:25 ERROR [MainThread] security.py:82 - Two-way SSL authentication failed. [Errno 0] _ssl.c:330: error:00000000:lib(0):func(0):reason(0)
The first thing that I do was find the keys in the HST Agent
/var/lib/smartsense/hst-agent/keys
The keys was empty. So I followed the next steps
1) In Ambari , restart all smartsense
2) In Ambari --- smartsense -- Restart HST Agent.
and now , the keys in the HST Agent are genereted.
Regards.
Created 06-02-2017 03:16 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For SmartSense versions 1.3.0 and above, we can use below CLI to regenerate the SSL keys on agents
# hst reset-agent