Support Questions

Find answers, ask questions, and share your expertise

Invalid TLS keystore config. Starting server without TLS



I have Cloudera Hadoop 5.7.5, configuring SSL access to Cloudera Admin Console using self signed certificates according to intructions in:



After restarting cloudera manager server SSL does'n work and have this error in server log:

"2017-04-07 11:21:13,251 ERROR MainThread:com.cloudera.server.cmf.WebServerImpl: Invalid TLS keystore config. Starting server without TLS."


Below the used commands:

keytool -genkeypair -keystore lvpal1525.keystore -keyalg RSA -alias lvpal1525 -dname "" -storepass Abcd1234 -keypass Abcd1234 -validity 365


cp $JAVA_HOME/jre/lib/security/cacerts $JAVA_HOME/jre/lib/security/jssecacerts


keytool -export -alias lvpal1525 -keystore lvpal1525.keystore -rfc -file selfsigned.cer -storepass Abcd1234


cp selfsigned.cer /opt/cloudera/security/x509/lvpal1525.pem

chown cloudera-scm:cloudera-scm /opt/cloudera/security/x509/lvpal1525.pem


keytool -import -alias lvpal1525 -file /opt/cloudera/security/jks/selfsigned.cer -keystore $JAVA_HOME/jre/lib/security/jssecacerts -storepass changeit


Then in worker nodes:


keytool -import -alias lvpal1525 -file /tmp/selfsigned.cer -keystore $JAVA_HOME/jre/lib/security/jssecacerts -storepass changeit


Then changed the security settings in Cloudera Manager to reflect Keystore location and password, as well as the flag for use TLS for Admin Console.


Any help will be appreciated.






Can you post a screenshot of the CM TLS configs? It will just be a guessing game until then.

Nothing looks off in the commands. It is complaining about the keystore. Do you have lvpal1525.keystore set as the Keystore and jssecacerts set as the truststore?

What are the permissions for each? The keystore should be 0440 and the truststore 0444.


Hi Master.


Thanks for takeing a look on this.  Yes, lvpal1525 is keystore and jssecacerts is truststore. Here the configuration:





it is hard to see but it seems that you are setting lvapal1525-keystore.jks but the file is actually lvpal1525.keystore.jks. It maybe a permissions issue if that name is correct. My Cloudera server is running all CM processes as root not cloudera-scm. Change the ownership if that is the case for you.


Thanks Master.


After correcting and applying recommendations i'm going forward nexts steps.


Best regards

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.