Support Questions
Find answers, ask questions, and share your expertise

KMS - AuthenticationToken ignored - Invalid signature - A009: HTTP status [403], message [Forbidden]

KMS - AuthenticationToken ignored - Invalid signature - A009: HTTP status [403], message [Forbidden]


Dear Friends


Based on my original post from

and the last response (This is probably related to kms, as stated somewhere else, I hope they will be able to help about that!), I think the issue (Start_Retry halt status in Pig Editor in Hue) is due to a recent bug mentioned at

We have recently upgraded both CM and CDH to from 5.2 to 5.3 but the bug still exists. So seems it has not completely been fixed as the error messages mentioned in the URL above are exact the same as our error messages we got as below (highlighed in Bold).


Would you please let us know if my understanding is correct and if not, what how do you suggest to fix the issue. If yes, does anybody know if it is going to be fixed in the future release i.e. 5.3.1. 

Thanks much for you attention.


P.S. more on KMS: 

Kind regards

from /var/log/hadoop-kms/kms.log

2015-01-01 16:25:46,866 WARN
AuthenticationToken ignored: Invalid signature
from pig job's log in hue (from Oozie dahsboar/workflows --> log tab)

2015-01-01 16:25:46,875 WARN SERVER[] USER[my_active_dir_user_name] GROUP[-] TOKEN[] APP[pig-app-hue-script] JOB[0000012-141228125521164-oozie-oozi-W] ACTION[0000012-141228125521164-oozie-oozi-W@pig] Error starting action [pig]. ErrorType [TRANSIENT], ErrorCode [JA009], Message [JA009: HTTP status [403], message [Forbidden]]
org.apache.oozie.action.ActionExecutorException: JA009: HTTP status [403], message [Forbidden]
Caused by: HTTP status [403], message [Forbidden]
at org.apache.hadoop.util.HttpExceptionUtils.validateResponse(

at org.apache.hadoop.crypto.key.kms.KMSClientProvider.addDelegationTokens(

at org.apache.hadoop.crypto.key.KeyProviderDelegationTokenExtension.addDelegationTokens(