Support Questions
Find answers, ask questions, and share your expertise

Ranger error "Keystore was tampered with, or password was incorrect"

New Contributor

Hi, we get the following Ranger error - maybe you can help me to fix it as soon as possible?! (We activated MIT Kerberos). Thanks in advance!

How can I check that the password of the keystore file is correct? And where can I change it?

Feb 17, 2020 4:29:56 PM org.apache.ranger.server.tomcat.EmbeddedServer start
INFO: Provided Kerberos Credential : Principal = rangeradmin/pdeluh0004392.hub.deluh.example.com@RDDL.PROD.EXAMPLE.COM and Keytab = /etc/security/keytabs/rangeradmin.service.keytab
Feb 17, 2020 4:29:56 PM org.apache.ranger.server.tomcat.EmbeddedServer$1 run
INFO: Starting Server using kerberos credential
Feb 17, 2020 4:29:57 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-6182"]
Feb 17, 2020 4:29:57 PM org.apache.coyote.AbstractProtocol init
SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-bio-6182"]
java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:785)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
at java.security.KeyStore.load(KeyStore.java:1445)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:497)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:381)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:654)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:594)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:539)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:255)
at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:400)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:728)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:452)
at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:560)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:840)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:135)
at org.apache.catalina.startup.Tomcat.start(Tomcat.java:370)
at org.apache.ranger.server.tomcat.EmbeddedServer.startServer(EmbeddedServer.java:271)
at org.apache.ranger.server.tomcat.EmbeddedServer.access$100(EmbeddedServer.java:44)
at org.apache.ranger.server.tomcat.EmbeddedServer$1.run(EmbeddedServer.java:253)
at org.apache.ranger.server.tomcat.EmbeddedServer$1.run(EmbeddedServer.java:249)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:360)
at org.apache.ranger.server.tomcat.EmbeddedServer.start(EmbeddedServer.java:249)
at org.apache.ranger.server.tomcat.EmbeddedServer.main(EmbeddedServer.java:68)
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:783)
... 30 more

1 ACCEPTED SOLUTION

Cloudera Employee

To work further on this you need to verify the ranger Keystore and Truststore password. 

To do that please use the below command. 
>> Keytool -list -keystore /Path/to/the/keystore

The above command will ask for the password, if you enter the right password it will show the data else not. You need to use the same configuration under the ranger configuration.

 

View solution in original post

2 REPLIES 2

Cloudera Employee

To work further on this you need to verify the ranger Keystore and Truststore password. 

To do that please use the below command. 
>> Keytool -list -keystore /Path/to/the/keystore

The above command will ask for the password, if you enter the right password it will show the data else not. You need to use the same configuration under the ranger configuration.

 

Rising Star

It seems a wrong configuration/password is passed in ranger configuration which is unable to open the keystore using the same.

 

$JAVA_HOME/keytool -list -keystore <keystore path with .keystore.jks> -storepass <password>

 

Check with the above command if you are able to list the keystore contents using the password you pass above. Ensure the same is configured in the ranger configuration.

; ;