Support Questions

OptOut · ‎05-18-2022

Testing this on our non-prod cluster and finding Cloudera manager won't start after switching from Oracle to Open JDK. Followed the Cloudera documentation and it appears to be working, but after removing Oracle RPM things went kablooey. Anyone have any suggestions? From CM log:

cResourcePool$ScatteredAcquireTask@1f258f49 -- Acquisition Attempt Failed!!! Clearing pending acquires. While trying to acquire a needed new resource, we failed to succeed more than the maximum number of allowed acquisition attempts (5). Last acquisition attempt exception:
com.mysql.jdbc.exceptions.jdbc4.CommunicationsException: Communications link failure

The last packet successfully received from the server was 1 milliseconds ago. The last packet sent successfully to the server was 1 milliseconds ago.
at sun.reflect.GeneratedConstructorAccessor61.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at com.mysql.jdbc.Util.handleNewInstance(Util.java:425)
at com.mysql.jdbc.SQLError.createCommunicationsException(SQLError.java:990)
at com.mysql.jdbc.ExportControlled.transformSocketToSSLSocket(ExportControlled.java:201)
at com.mysql.jdbc.MysqlIO.negotiateSSLConnection(MysqlIO.java:4912)
at com.mysql.jdbc.MysqlIO.proceedHandshakeWithPluggableAuthentication(MysqlIO.java:1663)
at com.mysql.jdbc.MysqlIO.doHandshake(MysqlIO.java:1224)
at com.mysql.jdbc.ConnectionImpl.coreConnect(ConnectionImpl.java:2190)
at com.mysql.jdbc.ConnectionImpl.connectOneTryOnly(ConnectionImpl.java:2221)
at com.mysql.jdbc.ConnectionImpl.createNewIO(ConnectionImpl.java:2016)
at com.mysql.jdbc.ConnectionImpl.<init>(ConnectionImpl.java:776)
at com.mysql.jdbc.JDBC4Connection.<init>(JDBC4Connection.java:47)
at sun.reflect.GeneratedConstructorAccessor46.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at com.mysql.jdbc.Util.handleNewInstance(Util.java:425)
at com.mysql.jdbc.ConnectionImpl.getInstance(ConnectionImpl.java:386)
at com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:330)
at com.mchange.v2.c3p0.DriverManagerDataSource.getConnection(DriverManagerDataSource.java:146)
at com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:195)
at com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:184)
at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool$1PooledConnectionResourcePoolManager.acquireResource(C3P0PooledConnectionPool.java:200)
at com.mchange.v2.resourcepool.BasicResourcePool.doAcquire(BasicResourcePool.java:1086)
at com.mchange.v2.resourcepool.BasicResourcePool.doAcquireAndDecrementPendingAcquiresWithinLockOnSuccess(BasicResourcePool.java:1073)
at com.mchange.v2.resourcepool.BasicResourcePool.access$800(BasicResourcePool.java:44)
at com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask.run(BasicResourcePool.java:1810)
at com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread.run(ThreadPoolAsynchronousRunner.java:648)
Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
at sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:171)
at sun.security.ssl.ClientHandshakeContext.<init>(ClientHandshakeContext.java:103)
at sun.security.ssl.TransportContext.kickstart(TransportContext.java:220)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:428)
at com.mysql.jdbc.ExportControlled.transformSocketToSSLSocket(ExportControlled.java:186)

araujo · ‎05-19-2022

It could be. Check the file $JAVA_HOME/jre/lib/security/java.security. You'll find something like the below in it:

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
    include jdk.disabled.namedCurves

If TLSv1 and TLSv1.1 are disabled in your version, you can try to remove them from the disabled list and try again.

Cheers,

André

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

View solution in original post

araujo · ‎05-19-2022

If it fails, please share the modified setting so that I can take a look.

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

OptOut · ‎05-19-2022

Added this setting:

export JAVA_HOME="/usr/lib/jvm/java-1.8.0-openjdk"

Restart of CM worked this time.

Rolling restart of services fails with same error above at Sentry service.

Do you know if it is safe to remove custom keystore settings for oracle jdk? I can't find a lot of info on this. This is a Kerberized cluster.

Looks like the setting is fine from service status: cm-server[135721]: JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk

araujo · ‎05-19-2022

Now that CM has started correctly, go to Hosts > All Hosts > Configuration and set the "Java Home Directory" property to /usr/lib/jvm/java-1.8.0-openjdk

After that do a full cluster restart from CM.

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

OptOut · ‎05-19-2022

Applied the config, but get same error from Sentry as above when initiating Rolling Restart to apply configuration.

araujo · ‎05-19-2022

Is SSL enabled for your MySQL?

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

OptOut · ‎05-19-2022

Not sure how to check for that.

OptOut · ‎05-19-2022

I suspect it is. I have a working theory now. The mysql version installed looks like it supports TLS 1.0 and 1.1 only. This is a recent version of Open JDK and it could be that it does not work with TLS below 1.2.

araujo · ‎05-19-2022

It could be. Check the file $JAVA_HOME/jre/lib/security/java.security. You'll find something like the below in it:

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
    include jdk.disabled.namedCurves

If TLSv1 and TLSv1.1 are disabled in your version, you can try to remove them from the disabled list and try again.

Cheers,

André

--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs up button.

OptOut · ‎05-19-2022

Thanks for the reply! I had come to the same conclusion, although you may not believe it. Sentry is back up and I'm trying to restart things to see where else it might break, at this time! I appreciate your replies and will follow up if I succeed or hit a different issue.

OptOut · ‎05-19-2022

Okay, only Oozie also needed the change but now everything is working! Will have to figure out longer term plan, but first things first.

Cloudera Community

Support Questions

Migrating from Oracle JDK to Open JDK (CDH 6.3.0)

how to migrate oracle jdk to open jdk in cdh clus...

Impersonation issue after migrating from Oracle JD...

Ambari JDK update process

HDP 3.1.0 with Oracle JDK 11.1.0 Support

JDK Changes Causing Ambari Server/Agent Registrati...

Required permissions for my custom JDK ?

Failed to install jdk package

CDH 5 (Latest) Fails to deploy using CM on JDK Ins...

Why does the download fail when the HDP gsinstalle...

Connect Oracle SQL Developer to Hive