Support Questions
Find answers, ask questions, and share your expertise

New LDAP configuration failing with "SSLHandshakeException: Received fatal alert: handshake_failure"

New Contributor

We need to update our LDAP configuration because our certificate is going to expire; we have a test ldaps server set up with the new certificate.  From within CDH->Administration->Settings, I pointed the "LDAP URL" to the new server.

 

simple bind failed: ldapsdev.{obscured domain}:3269; nested exception is javax.naming.CommunicationException: simple bind failed: ldapsdev.{obscureddomain}:3269 [Root exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure]

 

 Under the assumption that a cert needed to be added, I tried to figure out how, but could find zero documentation other than this:
https://community.cloudera.com/t5/Community-Articles/Steps-to-setup-Atlas-with-Ldaps-SSL/ta-p/247365

That relates to Atlas, which we don't use, but seemed right.  I downloaded "ldapsdev-ca.crt" from the ldaps server:

 

echo -n | openssl s_client -connect ldapsdev.{obscureddomain}:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapsdev-ca.crt

 

And then imported it into /usr/java/jdk1.7.0_67-cloudera/jre/lib/security/cacerts.  When I do a keytool -list on that, I see it in there.  I then restarted cloudera-scm-server, but I still get the same error.

Was that not the right cacerts file?  There are others in various subdirs under /etc/pki I could try to add to, but it'd be nice to know for sure which file Cloudera Server is trying to use.  Thanks!!!

1 REPLY 1

Expert Contributor

Hi Matt,

 

assuming you want to enable external authentication to LDAP in Cloudera Manager. Please find steps in the product documentation here for 6.x and here for 7.x 

The steps you listed seem about right and should work. I suggest to verify if CM makes use of this JDK in the CM -> Support -> About page, and if necessary follow the steps in documentation to explicitly set the -Djavax.net.ssl.trustStore and -Djavax.net.ssl.trustStorePassword startup properties.

; ;