Support Questions

Find answers, ask questions, and share your expertise

Impala JDBC client fails to connect to kerberized & ssl enabled cluster

avatar
New Contributor

Hi,

 

We are not able to connect to impala from squirrel /workbench client using JDBC.

At the same time, We are able to successfully connect using ODBC driver.

There is no configuration issue from Kerberos side as we are able to fetch the data using ODBC.

 

We have installed

1) CDH 6.1 cluster

2) MIT Kerberos enabled

3) SSL enabled for Impala

4) Tested using the Impala JDBC driver version 2.5.45(ClouderaImpalaJDBC4_2.5.45)

     and 2.6.2 (impala_jdbc_2.6.2.1003)

 

We are getting the below error

 

[Simba][ImpalaJDBCDriver](500164) Error initialized or created transport for authentication: [Simba][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed
Also, could not send response: org.apache.thrift.transport.TTransportException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

 

Connection strings:

jdbc:impala://Loadbalancer.amazonaws.com:21050/default;AuthMech=1;KrbHostFQDN=master2-impala-146.com;KrbRealm=PRODIMPALA.COM;KrbServiceName=impala;SSL=1;CAIssuedCertNamesMismatch=1;SocketTimeout=10;loglevel=6;logpath=d:\;TrustedCerts=D:\CA-Certs\\cacerts

 

jdbc:impala://Loadbalancer.amazonaws.com:21050/default;AuthMech=1;KrbHostFQDN=master2-impala-146;KrbRealm=PRODIMPALA.COM;KrbServiceName=impala;ssl=1;CAIssuedCertNamesMismatch=1;loglevel=6;logpath=d:\CA-CERTS\;TrustedCerts="C:\Program Files (x86)\Java\jre1.8.0_201\lib\security\cacerts"

 

jdbc:impala://Loadbalancer.amazonaws.com:21050/default;AuthMech=1;KrbHostFQDN=master2-impala-146;KrbRealm=PRODIMPALA.COM;KrbServiceName=impala;ssl=1;

 

Different Options:

 

1) Imported the pem file into /jre/lib/security/cacerts

2) Copied the jssecacerts from impala node to client node

3) Tried connecting with jks file

4) Tried with both impala jdbc 4 & 4.1 driver.

 

Any help would be really appreciated.

 

Regards,

Balaji

1 ACCEPTED SOLUTION

avatar
New Contributor

Hi Guys.

Well, we had the same problem here and at the end, we identified there something in the network blocking the certificate validation. It was the OpenDns and we solved it by adding the server to the whitelist.

 

Regards

View solution in original post

7 REPLIES 7

avatar
Explorer

I am having the same problem, were you able to resolve this ? If so can you share your experience

avatar
New Contributor

Hi Guys.

Well, we had the same problem here and at the end, we identified there something in the network blocking the certificate validation. It was the OpenDns and we solved it by adding the server to the whitelist.

 

Regards

avatar
Rising Star

Hello Balaji 

 

1. Could you confirm if you are using the same certificates for both the JDBC and ODBC connection strings?

 

2. The error looks like more of cert DNS issue un.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid

 

hat application if it can trust it. The way trust is handled in the Java world is that you have a keystore (typically $JAVA_HOME/lib/security/cacerts), also known as the truststore. This contains a list of all known Certificate Authority (CA) certificates, and Java will only trust certificates that are signed by one of those CAs or public certificates that exist within that keystore. For example, if we look at the certificate for Atlassian, we can see that the *.atlassian.com certificate has been signed by the intermediate certificates, DigiCert High Assurance EV Root CA and DigiCert High Assurance CA-3. These intermediate certificates have been signed by the root  Entrust.net Secure Server CA :

 

 

These three certificates combined are referred to as the certificate chain, and, as they are all within the Java keystore (cacerts), Java will trust any certificates signed by them (in this c

 

This problem is therefore caused by a certificate that is self-signed (a CA did not sign it) or a certificate chain that does not exist within the Java truststore. Java does not trust the certificate and fails to connect to the application.

Resolution

  1. Make sure you have imported the public certificate of the target instance into the truststore..
  2.  
  3. Make sure any certificates have been imported into the correct truststore; you may have multiple JRE/JDKs. See Installing Java for this.
  4. Check to see that the correct truststore is in use. If -Djavax.net.ssl.trustStore has been configured, it will override the location of the default truststore, which will need to be checked.
  5. If this error results while integrating with an LDAP server over LDAPS and there is more than one LDAP server, .  Optionally, import the SSL certificates from the other LDAP servers into the Confluence truststore.
  6. Check if your Anti Virus tool has "SSL Scanning" blocking SSL/TLS. If it does, disable this feature or set exceptions for the target addresses (check the product documentation to see if this is possible.)
  7. If connecting to a mail server, such as Exchange, ensure authentication allows plain text.
  8. Verify that the target server is configured to serve SSL correctly. This can be done with the SSL Server Test tool.
  9. If all else fails, your truststore might be out of date. Upgrade Java to the latest version supported by your application.

 

avatar
Community Manager

@rodrigo_fritsch, Has the reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future. 



Regards,

Vidya Sargur,
Community Manager


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:

avatar
Community Manager

Hi @rodrigo_fritsch, would you have any update on the solutions provided? If they have helped you resolve the issue, can you kindly accept the appropriate response as a solution? 



Regards,

Vidya Sargur,
Community Manager


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:

avatar
New Contributor

Hi VydiaSargur!

Maybe I didn't express myself well. I have replied to the topic to help the other people, we had the same problem here and fortunately, we were able to fix it by adding the CDP server to the DNS's whitelist.
Anyway, thank you for your answer. It was complete and surely will be much useful than mine to help other users.

 

Best regards.

 

avatar
Community Manager

Thanks for the confirmation @rodrigo_fritsch. I have marked your reply as the solution. 



Regards,

Vidya Sargur,
Community Manager


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community: