Support Questions

Find answers, ask questions, and share your expertise

How to turn off 2 way SSL authentication for smartsense agent?

avatar
Super Collaborator

I am trying to restart my hst-agent, but it repeatedly fails with below error message:

ERROR 2016-05-02 03:08:20,978 security.py:78 - Two-way SSL authentication failed. Ensure that server and agent certificates were signed by the same CA and restart the agent. 

In order to receive a new agent certificate, remove existing certificate file from keys directory. As a workaround you can turn off two-way SSL authentication in agent configuration(hst-agent.ini)

Exiting.. 

ERROR 2016-05-02 03:08:20,979 security.py:86 - [Errno 8] _ssl.c:492: EOF occurred in violation of protocol

I even tried deleting all the hst-agent keys bit still to no avail.

I am trying to setup the smartsense on my HDP 2.4 VM

1 ACCEPTED SOLUTION

avatar

This error occurs because the md5 digest became deprecated in favor of sha256 in recent versions of Java. It is fixed in the next SmartSense HST release. The workaround is somewhat complicated, so we recommend you open a support case for assistance. If you wish to attempt it yourself, here is the process...

WORKAROUND: Change the default digest to “sha256” instead of “md5” and then regenerate all certificates. Follow these steps:

  1. Use Ambari to stop the SmartSense service (all components)
  2. Backup the old server keys on the HST Server host: cp -rp /var/lib/smartsense/hst-server/keys /var/lib/smartsense/hst-server/keys.backup
  3. On the HST Server host, clean out the old keys:i. rm -f /var/lib/smartsense/hst-server/keys/ca.key
    1. rm -f /var/lib/smartsense/hst-server/keys/*.csr
    2. rm -f /var/lib/smartsense/hst-server/keys/*.crt
    3. rm -rf /var/lib/smartsense/hst-server/keys/db/*
    4. mkdir /var/lib/smartsense/hst-server/keys/db/newcerts
    5. touch /var/lib/smartsense/hst-server/keys/db/index.txt
    6. echo 01 > /var/lib/smartsense/hst-server/keys/db/serial
  4. Edit file /var/lib/smartsense/hst-server/keys/ca.config and change line "default_md = md5" to "default_md = sha256"
  5. On all HST Agent hosts, clean out the old keys: rm -f /var/lib/smartsense/hst-agent/keys/*
  6. If using the HST Gateway:
    1. Stop the gateway: hst gateway stop
    2. Repeat steps 3 & 4 for the files under /var/lib/smartsense/hst-gateway/keys/ on the HST Gateway host
    3. Repeat step 5 for the files under /var/lib/smartsense/hst-gateway-client/keys on all HST Server host(s)
    4. Start the gateway: hst gateway start
  7. Use Ambari to start the SmartSense service (all components)
  8. Verify both Ambari SmartSense service and SmartSense view shows correct number of agents registered.

NOTE: Turning off two-way SSL is NOT recommended (the error message has been improved in newer versions of HST), and the issue occurs on hosts with following JDK versions or newer:

JDK FamilyVersions
Oracle1.8.0_71
Oracle1.7.0_95
Oracle1.6.0_111
OpenJDK1.7.0_45
OpenJDK1.8.0_40

View solution in original post

4 REPLIES 4

avatar

This error occurs because the md5 digest became deprecated in favor of sha256 in recent versions of Java. It is fixed in the next SmartSense HST release. The workaround is somewhat complicated, so we recommend you open a support case for assistance. If you wish to attempt it yourself, here is the process...

WORKAROUND: Change the default digest to “sha256” instead of “md5” and then regenerate all certificates. Follow these steps:

  1. Use Ambari to stop the SmartSense service (all components)
  2. Backup the old server keys on the HST Server host: cp -rp /var/lib/smartsense/hst-server/keys /var/lib/smartsense/hst-server/keys.backup
  3. On the HST Server host, clean out the old keys:i. rm -f /var/lib/smartsense/hst-server/keys/ca.key
    1. rm -f /var/lib/smartsense/hst-server/keys/*.csr
    2. rm -f /var/lib/smartsense/hst-server/keys/*.crt
    3. rm -rf /var/lib/smartsense/hst-server/keys/db/*
    4. mkdir /var/lib/smartsense/hst-server/keys/db/newcerts
    5. touch /var/lib/smartsense/hst-server/keys/db/index.txt
    6. echo 01 > /var/lib/smartsense/hst-server/keys/db/serial
  4. Edit file /var/lib/smartsense/hst-server/keys/ca.config and change line "default_md = md5" to "default_md = sha256"
  5. On all HST Agent hosts, clean out the old keys: rm -f /var/lib/smartsense/hst-agent/keys/*
  6. If using the HST Gateway:
    1. Stop the gateway: hst gateway stop
    2. Repeat steps 3 & 4 for the files under /var/lib/smartsense/hst-gateway/keys/ on the HST Gateway host
    3. Repeat step 5 for the files under /var/lib/smartsense/hst-gateway-client/keys on all HST Server host(s)
    4. Start the gateway: hst gateway start
  7. Use Ambari to start the SmartSense service (all components)
  8. Verify both Ambari SmartSense service and SmartSense view shows correct number of agents registered.

NOTE: Turning off two-way SSL is NOT recommended (the error message has been improved in newer versions of HST), and the issue occurs on hosts with following JDK versions or newer:

JDK FamilyVersions
Oracle1.8.0_71
Oracle1.7.0_95
Oracle1.6.0_111
OpenJDK1.7.0_45
OpenJDK1.8.0_40

avatar
Super Collaborator

Also, you can enable the md5 algorithm from your java security by changing the security setting from the file

JAVA_HOME/lib/security/java.security

and deleting the md5 algorithm from the line

jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024


jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048

This worked for me - but when you do this, please be mindful of the security settings that you are impacting your machine.

avatar
Explorer

Hi ,

I have the a similar issue but appears when we reboot the server.

07 Dec 2016 06:11:25 ERROR [MainThread] security.py:82 - Two-way SSL authentication failed. [Errno 0] _ssl.c:330: error:00000000:lib(0):func(0):reason(0)

The first thing that I do was find the keys in the HST Agent

/var/lib/smartsense/hst-agent/keys

The keys was empty. So I followed the next steps

1) In Ambari , restart all smartsense

2) In Ambari --- smartsense -- Restart HST Agent.

and now , the keys in the HST Agent are genereted.

Regards.

avatar
Contributor

For SmartSense versions 1.3.0 and above, we can use below CLI to regenerate the SSL keys on agents

# hst reset-agent