Support Questions

Find answers, ask questions, and share your expertise
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

Ranger knox repo test connection failure


Install service knox successfully using self signed and integrated with Ranger. But on Ranger UI clicking on Knox test connection gets failed with below error. Below find first details of cluster.


HDP: 2.6

Kerberos Enabled: YES ( Windows AD 2012 R2)

Authentication: AD with LDAPS ( Windows AD 2012 R2)

Ranger Enabled: YES

RANGER Usersync and GroupSync: YES with windows AD

Ambari Enabled AD: YES

KNOX Enabled with AD: YES (except Admin account/topology)

KNOX advance topology have definition for zookeeper dynamic discovery and webhdfs ha: YES

Knox repository visible in Ranger UI: YES


While clicking on test connection getting below error.

2017-12-22 10:32:28,699 [timed-executor-pool-0] ERROR ( - Exception on REST call to KnoxUrl : https://vijayhdp-1.novalocal:8443/gateway/admin/api/v1/topologies. com.sun.jersey.api.client.ClientHandlerException: java.lang.RuntimeException: Unexpected error: the trustAnchors parameter must be non-empty at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle( at com.sun.jersey.api.client.filter.HTTPBasicAuthFilter.handle( at com.sun.jersey.api.client.Client.handle( at com.sun.jersey.api.client.WebResource.handle( at com.sun.jersey.api.client.WebResource.access$200( at com.sun.jersey.api.client.WebResource$Builder.get( at at$ at$ at at at at at at$ValidateCallable.actualCall( at$ValidateCallable.actualCall( at$ at at java.util.concurrent.ThreadPoolExecutor.runWorker( at java.util.concurrent.ThreadPoolExecutor$ at Caused by: java.lang.RuntimeException: Unexpected error: the trustAnchors parameter must be non-empty

On Ranger UI - Audit - plugins - no knox pluging names data present.

Kindly suggest to fix it.

- Vijay Mishra


Cloudera Employee

Vijay Mishra, can you try the suggestions posted in this article



I already have done the SSL truststore for knox with ranger but it was failing.

As per article which u refered they talked if not working then update below property in ranger-admin

  1. ranger.truststore.file=/usr/hdp/current/ranger-admin/cacertswithknox
  2. ranger.truststore.password=changeit

Which i have done and ranger knox Test connection is success.

Thanks for sharing the article helps to fix the issue.

- Vijay Mishra

Cloudera Employee

@Vijay Mishra, The mentioned properties should now be available on Ambari Ranger-configurations, and you might not need to add the properties to ranger-admin*.sh script manually.
Glad to know the issue was fixed.

Correct steps for Using Ranger with KNOX

1. Install Ranger and setup SSL for Ranger Admin
2. Install Knox and do topology xml changes.
3. Enable Knox plugin and setup SSL for Knox plugin
4. Add "ranger-admin-trust.cer" into cacerts file of java using below command on knox host
"/usr/jdk64/jdk1.8.0_112/bin/keytool -import -file /etc/ranger/admin/conf/ranger-admin-trust.cer -alias rangeradmin -keystore /usr/jdk64/jdk1.8.0_112/jre/lib/security/cacerts"
5. Followe the steps for Knox test connection to be successful
can you please check if you missed any of this?


Deepak Sharma

Issue fixed, have done the same steps which u have mentioned above.

In ur steps u have mentioned install knox and do ui.xml changes, r u talking about topology files ?

- Vijay Mishra

yes Vijay its topology file changes only

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.