Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ranger KMS/Admin: "the trustAnchors parameter must be non-empty"

Ranger KMS/Admin: "the trustAnchors parameter must be non-empty"

New Contributor

Hello,

When I test my connection on ranger KMS UI I got the following error message :

org.apache.ranger.plugin.client.HadoopException: Exception while getting Kms Key List. URL : https://MYserver:9393/kms/v1/keys/names?user.name=keyadmin. Exception while getting Kms Key List. URL : https://MYserver:9393/kms/v1/keys/names?user.name=keyadmin. javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty. java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty. Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty.

the trustAnchors parameter must be non-empty.

When I go to ranger-admin log I see :

2017-06-08 11:30:14,903 [timed-executor-pool-0] ERROR apache.ranger.services.kms.client.KMSClient (KMSClient.java:285) - Exception while getting Kms Key List. URL : https://tpcrmm01s.priv.atos.fr:9393/kms/v1/keys/names?user.name=keyadmin com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:131) at com.sun.jersey.api.client.Client.handle(Client.java:616) at com.sun.jersey.api.client.WebResource.handle(WebResource.java:559) at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:72) at com.sun.jersey.api.client.WebResource$Builder.get(WebResource.java:454) at org.apache.ranger.services.kms.client.KMSClient.getKeyList(KMSClient.java:177) at org.apache.ranger.services.kms.client.KMSClient.getKmsKey(KMSClient.java:382) at org.apache.ranger.services.kms.client.KMSClient.testConnection(KMSClient.java:317) at org.apache.ranger.services.kms.client.KMSResourceMgr.validateConfig(KMSResourceMgr.java:41) at org.apache.ranger.services.kms.RangerServiceKMS.validateConfig(RangerServiceKMS.java:55) at org.apache.ranger.biz.ServiceMgr$ValidateCallable.actualCall(ServiceMgr.java:560) at org.apache.ranger.biz.ServiceMgr$ValidateCallable.actualCall(ServiceMgr.java:547) at org.apache.ranger.biz.ServiceMgr$TimedCallable.call(ServiceMgr.java:508) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:748) Caused by: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1906) at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1889) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1410) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1546) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474) at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338) at com.sun.jersey.client.urlconnection.URLConnectionClientHandler._invoke(URLConnectionClientHandler.java:218) at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:129) ... 16 more Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:90) at sun.security.validator.Validator.getInstance(Validator.java:179) at sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:312) at sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:171) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:184) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) at sun.security.ssl.Handshaker.process_record(Handshaker.java:961) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) ... 25 more Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120) at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104) at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:88) ... 37 more

I don't find the trust Anchor and all my trustore/keystore are working.

Thanks for your help

Fabien

3 REPLIES 3

Re: Ranger KMS/Admin: "the trustAnchors parameter must be non-empty"

New Contributor

You have the UI set to SSL mode. Please check to ensure you have configured the trust store correctly and have correctly loaded in the SSL certificate you wish to server with the Ranger UI.

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.0/bk_Security_Guide/content/configure_ambari_...

Re: Ranger KMS/Admin: "the trustAnchors parameter must be non-empty"

New Contributor

I have already follow all the steps.

Highlighted

Re: Ranger KMS/Admin: "the trustAnchors parameter must be non-empty"

New Contributor

You can use syntax like:

keytool -list -v -keystore /etc/security/ssl/hdp_keystore.jks -storepass Hadoop123

Replacing the path and password to that configured in Ranger to test the keystore and ensure the path/password and certificated included are correct

Don't have an account?
Coming from Hortonworks? Activate your account here