Support Questions
Find answers, ask questions, and share your expertise

hiveserver2 ranger-plugin ssl communication


Friends, I need your advise/help on the following issue:

We have successfully configured Hiveserver2 / SSL Ranger Plugin / Kerberos, but i never tested earlier, but recently i found a hive / ranger plugin issue, that is @ when I tried to connect hiveserver2 through beeline, i was able to connect to hiveserver2, but when i typed 'show databases' i was not getting any result, but in hiveserver2 logs,i found the following errors:

Here is the hiveserver2 log:

2017-03-11 22:46:56,026 ERROR [Thread-9]: util.RangerRESTClient ( - Unable to read the necessary SSL Keystore and TrustStore Files Keystore was tampered with, or password was incorrect at at$JKS.engineLoad( at at$DualFormatJKS.engineLoad( at at org.apache.ranger.plugin.util.RangerRESTClient.getTrustManagers( at org.apache.ranger.plugin.util.RangerRESTClient.buildClient( at org.apache.ranger.plugin.util.RangerRESTClient.getClient( at org.apache.ranger.plugin.util.RangerRESTClient.getResource( at org.apache.ranger.admin.client.RangerAdminRESTClient.createWebResource( at org.apache.ranger.admin.client.RangerAdminRESTClient.getServicePoliciesIfUpdated( at org.apache.ranger.plugin.util.PolicyRefresher.loadPolicyfromPolicyAdmin( at org.apache.ranger.plugin.util.PolicyRefresher.loadPolicy( at Caused by: Password verification failed at ... 13 more 2017-03-11 22:46:56,027 ERROR [Thread-9]: util.PolicyRefresher ( - PolicyRefresher(serviceName=TEST_hive): failed to refresh policies. Will continue to use last known version of policies (-1) java.lang.IllegalArgumentException: SSLContext must not be null

I have verified the "java keystore & trust store password" as i was able to list those two stores (keytool command) with the passwords.

Can anyone please help me on resolving this issue.

Thank you,



Super Mentor

@hdpadmin overlandpark

Have you created a create principal as

kadmin.local: addprinc -randkey HTTPS/<host>@EXAMPLE.COM

And added it to the keytab ?

kadmin.local: ktadd -norandkey -kt /etc/security/keytabs/spnego.service.keytab HTTPS/<host>@EXAMPLE.COM


After that please try verifying the same using klist command, that you are able to do kinit and get the ticket.


Can you please check yout ranger truststore/keystore configs.


Also please check if you have imported the hiveserver2 certificate to the truststore?



Hi Jay,

Thank you for the response. Actually we got all these things in place, but i realized that our trust store password was incorrect and i was able to fix that issue, later it complained about a self signed cert on the ranger admin server, so I imported hive cert into ranger trust store and did set common name correctly on hive/ranger configuration and finally my issue was resolved. Thanks again for the reply.


Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.