Support Questions
Find answers, ask questions, and share your expertise
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Receiving Unauthorized access - unable to get client certificate while Ranger-Kafka integration

Receiving Unauthorized access - unable to get client certificate while Ranger-Kafka integration


I am trying to connect Kafka and Ranger and receiving "Unauthorized access - unable to get client certificate". I created a self-signed certificate and followed the below steps.

On Kafka broker

Cd /etc/kafka/conf

keytool -genkey -keyalg RSA -alias rangerkafka -keystore ranger-kafka-keystore.jks -storepass xasecure -validity 365 -keysize 2048


chown kafka:kafka ranger-kafka-keystore.jks

chmod 400 ranger-kafka-keystore.jks


keytool -export -keystore ranger-kafka-keystore.jks -alias rangerkafka -file rangerkafka.cer -storepass xasecure


On Ranger-admin side

keytool -genkey -keyalg RSA -alias rangeradmin -keystore ranger-admin-keystore.jks -storepass xasecure -validity 365 -keysize 2048


chown ranger:ranger ranger-admin-keystore.jks

chmod 400 ranger-admin-keystore.jks


keytool -export -keystore ranger-admin-keystore.jks -alias rangeradmin -file rangeradmin.cer -storepass xasecure


After that imported .cer file as below and created truststore.

On Kafka broker

keytool -import -file rangeradmin.cer -alias rangeradmin -keystore /etc/kafka/conf/ranger-kafka-truststore.jks -storepass xasecure


On Ranger server

keytool -import -file rangerkafka.cer -alias rangerkafka -keystore /etc/ranger/admin/conf/ranger-admin-truststore.jks -storepass xasecure


Logs on Kafka

WARN cache file does not exist or not readable '/etc/ranger/KafkaTest/policycache/kafka_KafkaTest.json' (org.apache.ranger.plugin.util.PolicyRefresher)
[2020-08-09 22:52:29,143] WARN Error getting policies. secureMode=false, user=kafka/<public DNS of broker>@EXAMPLE.COM (auth:KERBEROS), response={"httpStatusCode":400,"statusCode":0}, serviceName=KafkaTest (org.apache.ranger.admin.client.RangerAdminRESTClient)


Ranger Logs

2020-08-09 22:51:29,063 [http-bio-6182-exec-7] INFO org.apache.ranger.common.RESTErrorUtil ( - Request failed. loginId=null, logMessage=VXResponse={org.apache.ranger.view.VXResponse@49174f0cstatusCode={1} msgDesc={Unauthorized access - unable to get client certificate} messageList={[VXMessage={org.apache.ranger.view.VXMessage@4d6d97e4name={OPER_NOT_ALLOWED_FOR_ENTITY} rbKey={xa.error.oper_not_allowed_for_state} message={Operation not allowed for entity} objectId={null} fieldName={null} }]} }
at org.apache.ranger.common.RESTErrorUtil.createRESTException(


I did configure these trust store and Keystore at their respective places. Please let me know what I have done wrong.


Also, If I have a couple of Kafka brokers, how self-signed certificates will work. What will be the steps?

Don't have an account?
Coming from Hortonworks? Activate your account here