Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

How to turn off 2 way SSL authentication for smartsense agent?

Labels:
avatar
author-rank hduraiswamy
Super Collaborator

Created ‎05-02-2016 03:23 AM

I am trying to restart my hst-agent, but it repeatedly fails with below error message:

ERROR 2016-05-02 03:08:20,978 security.py:78 - Two-way SSL authentication failed. Ensure that server and agent certificates were signed by the same CA and restart the agent. 

In order to receive a new agent certificate, remove existing certificate file from keys directory. As a workaround you can turn off two-way SSL authentication in agent configuration(hst-agent.ini)

Exiting.. 

ERROR 2016-05-02 03:08:20,979 security.py:86 - [Errno 8] _ssl.c:492: EOF occurred in violation of protocol

I even tried deleting all the hst-agent keys bit still to no avail.

I am trying to setup the smartsense on my HDP 2.4 VM

7,979 Views
1 ACCEPTED SOLUTION

avatar
author-rank amiller
Guru

Created ‎05-02-2016 06:25 PM

This error occurs because the md5 digest became deprecated in favor of sha256 in recent versions of Java. It is fixed in the next SmartSense HST release. The workaround is somewhat complicated, so we recommend you open a support case for assistance. If you wish to attempt it yourself, here is the process...

WORKAROUND: Change the default digest to “sha256” instead of “md5” and then regenerate all certificates. Follow these steps:

  1. Use Ambari to stop the SmartSense service (all components)
  2. Backup the old server keys on the HST Server host: cp -rp /var/lib/smartsense/hst-server/keys /var/lib/smartsense/hst-server/keys.backup
  3. On the HST Server host, clean out the old keys:i. rm -f /var/lib/smartsense/hst-server/keys/ca.key
    1. rm -f /var/lib/smartsense/hst-server/keys/*.csr
    2. rm -f /var/lib/smartsense/hst-server/keys/*.crt
    3. rm -rf /var/lib/smartsense/hst-server/keys/db/*
    4. mkdir /var/lib/smartsense/hst-server/keys/db/newcerts
    5. touch /var/lib/smartsense/hst-server/keys/db/index.txt
    6. echo 01 > /var/lib/smartsense/hst-server/keys/db/serial
  4. Edit file /var/lib/smartsense/hst-server/keys/ca.config and change line "default_md = md5" to "default_md = sha256"
  5. On all HST Agent hosts, clean out the old keys: rm -f /var/lib/smartsense/hst-agent/keys/*
  6. If using the HST Gateway:
    1. Stop the gateway: hst gateway stop
    2. Repeat steps 3 & 4 for the files under /var/lib/smartsense/hst-gateway/keys/ on the HST Gateway host
    3. Repeat step 5 for the files under /var/lib/smartsense/hst-gateway-client/keys on all HST Server host(s)
    4. Start the gateway: hst gateway start
  7. Use Ambari to start the SmartSense service (all components)
  8. Verify both Ambari SmartSense service and SmartSense view shows correct number of agents registered.

NOTE: Turning off two-way SSL is NOT recommended (the error message has been improved in newer versions of HST), and the issue occurs on hosts with following JDK versions or newer:

JDK FamilyVersions
Oracle1.8.0_71
Oracle1.7.0_95
Oracle1.6.0_111
OpenJDK1.7.0_45
OpenJDK1.8.0_40

View solution in original post

4,739 Views
4 REPLIES 4

avatar
author-rank amiller
Guru

Created ‎05-02-2016 06:25 PM

This error occurs because the md5 digest became deprecated in favor of sha256 in recent versions of Java. It is fixed in the next SmartSense HST release. The workaround is somewhat complicated, so we recommend you open a support case for assistance. If you wish to attempt it yourself, here is the process...

WORKAROUND: Change the default digest to “sha256” instead of “md5” and then regenerate all certificates. Follow these steps:

  1. Use Ambari to stop the SmartSense service (all components)
  2. Backup the old server keys on the HST Server host: cp -rp /var/lib/smartsense/hst-server/keys /var/lib/smartsense/hst-server/keys.backup
  3. On the HST Server host, clean out the old keys:i. rm -f /var/lib/smartsense/hst-server/keys/ca.key
    1. rm -f /var/lib/smartsense/hst-server/keys/*.csr
    2. rm -f /var/lib/smartsense/hst-server/keys/*.crt
    3. rm -rf /var/lib/smartsense/hst-server/keys/db/*
    4. mkdir /var/lib/smartsense/hst-server/keys/db/newcerts
    5. touch /var/lib/smartsense/hst-server/keys/db/index.txt
    6. echo 01 > /var/lib/smartsense/hst-server/keys/db/serial
  4. Edit file /var/lib/smartsense/hst-server/keys/ca.config and change line "default_md = md5" to "default_md = sha256"
  5. On all HST Agent hosts, clean out the old keys: rm -f /var/lib/smartsense/hst-agent/keys/*
  6. If using the HST Gateway:
    1. Stop the gateway: hst gateway stop
    2. Repeat steps 3 & 4 for the files under /var/lib/smartsense/hst-gateway/keys/ on the HST Gateway host
    3. Repeat step 5 for the files under /var/lib/smartsense/hst-gateway-client/keys on all HST Server host(s)
    4. Start the gateway: hst gateway start
  7. Use Ambari to start the SmartSense service (all components)
  8. Verify both Ambari SmartSense service and SmartSense view shows correct number of agents registered.

NOTE: Turning off two-way SSL is NOT recommended (the error message has been improved in newer versions of HST), and the issue occurs on hosts with following JDK versions or newer:

JDK FamilyVersions
Oracle1.8.0_71
Oracle1.7.0_95
Oracle1.6.0_111
OpenJDK1.7.0_45
OpenJDK1.8.0_40
4,740 Views

avatar
author-rank hduraiswamy
Super Collaborator

Created ‎05-03-2016 02:20 AM

Also, you can enable the md5 algorithm from your java security by changing the security setting from the file

JAVA_HOME/lib/security/java.security

and deleting the md5 algorithm from the line

jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024


jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048

This worked for me - but when you do this, please be mindful of the security settings that you are impacting your machine.

4,739 Views

avatar
author-rank luis_picazo
Explorer

Created ‎12-07-2016 05:03 PM

Hi ,

I have the a similar issue but appears when we reboot the server.

07 Dec 2016 06:11:25 ERROR [MainThread] security.py:82 - Two-way SSL authentication failed. [Errno 0] _ssl.c:330: error:00000000:lib(0):func(0):reason(0)

The first thing that I do was find the keys in the HST Agent

/var/lib/smartsense/hst-agent/keys

The keys was empty. So I followed the next steps

1) In Ambari , restart all smartsense

2) In Ambari --- smartsense -- Restart HST Agent.

and now , the keys in the HST Agent are genereted.

Regards.

4,739 Views
0 Kudos

avatar
author-rank sappusamy author-rank
Contributor

Created ‎06-02-2017 03:16 AM

For SmartSense versions 1.3.0 and above, we can use below CLI to regenerate the SSL keys on agents

# hst reset-agent

4,739 Views
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements