Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

New LDAP configuration failing with "SSLHandshakeException: Received fatal alert: handshake_failure"

avatar
New Contributor

We need to update our LDAP configuration because our certificate is going to expire; we have a test ldaps server set up with the new certificate.  From within CDH->Administration->Settings, I pointed the "LDAP URL" to the new server.

 

simple bind failed: ldapsdev.{obscured domain}:3269; nested exception is javax.naming.CommunicationException: simple bind failed: ldapsdev.{obscureddomain}:3269 [Root exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure]

 

 Under the assumption that a cert needed to be added, I tried to figure out how, but could find zero documentation other than this:
https://community.cloudera.com/t5/Community-Articles/Steps-to-setup-Atlas-with-Ldaps-SSL/ta-p/247365

That relates to Atlas, which we don't use, but seemed right.  I downloaded "ldapsdev-ca.crt" from the ldaps server:

 

echo -n | openssl s_client -connect ldapsdev.{obscureddomain}:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapsdev-ca.crt

 

And then imported it into /usr/java/jdk1.7.0_67-cloudera/jre/lib/security/cacerts.  When I do a keytool -list on that, I see it in there.  I then restarted cloudera-scm-server, but I still get the same error.

Was that not the right cacerts file?  There are others in various subdirs under /etc/pki I could try to add to, but it'd be nice to know for sure which file Cloudera Server is trying to use.  Thanks!!!

1 REPLY 1

avatar
Super Collaborator

Hi Matt,

 

assuming you want to enable external authentication to LDAP in Cloudera Manager. Please find steps in the product documentation here for 6.x and here for 7.x 

The steps you listed seem about right and should work. I suggest to verify if CM makes use of this JDK in the CM -> Support -> About page, and if necessary follow the steps in documentation to explicitly set the -Djavax.net.ssl.trustStore and -Djavax.net.ssl.trustStorePassword startup properties.