Support Questions
Find answers, ask questions, and share your expertise

how to rollback cloudera manager tls configuration without UI

New Contributor

Need help urgently.

 

Hi, Today I configured Cloudera Manager 5.4.1 to use HTTPS by following

http://www.cloudera.com/documentation/enterprise/5-4-x/topics/cm_sg_tls_browser.html#concept_hrs_f5d

I used self-signed certificate described in http://www.cloudera.com/documentation/enterprise/5-4-x/topics/sg_self_signed_tls.html#xd_583c10bfdbd

However, after restarting cloudera-scm-server, I could not open the cloudera manager in browser.

“Openssl  s_client –connect “’ indicated the ssl connection was fine, but the browser always timed out. I’ve tried different browsers and cleaned the cache etc. Still the same. At this point, I would rather to roll it back.

Is there a way to rollback the changes to use Http again?  Since I cannot access the cloudera manger UI, I can only do it thru command line. Does anyone know where the configuration is stored and how to change it?

 

Please Help!  Thanks!

 

1 ACCEPTED SOLUTION

Super Guru

I would recommend reviewing the Cloudera Manager log for clues, but, for now, access your Cloudera Manager database and run the following:

 

delete from CONFIGS where ATTR='web_tls';

 

This will disable TLS for the CM UI

 

Afterward, try starting again.

 

If that doesn't help, let us know.

View solution in original post

11 REPLIES 11

Super Guru

I would recommend reviewing the Cloudera Manager log for clues, but, for now, access your Cloudera Manager database and run the following:

 

delete from CONFIGS where ATTR='web_tls';

 

This will disable TLS for the CM UI

 

Afterward, try starting again.

 

If that doesn't help, let us know.

New Contributor
Thanks, that worked perfectly! Appreciated your quick help.

New Contributor

How to find the cloudera manager DB credentials? I do have the same issue. Not able to login to web UI after TLS configuration 

Explorer

DB credential can be found here /etc/cloudera-scm-server/db.properties.

Contributor

I had a similar problem. I had enabled the agent_tls, but the keystore field was not filled or the file was on a different location.  Now the server did not start anymore. I needed to rollback the setting, thx for your post.

 

I used mysql tool on the command-line to connect as root to MySQL db, and executed an update:

 

use scm;
update CONFIGS set VALUE='false' where ATTR='agent_tls';
Query OK, 1 row affected (0.05 sec)

After a restart of cloudera-scm-server, the server was working again and I could enter the UI.

Expert Contributor

Urgent

 

@bgooleyThis not helped me. Its giving below

scm=# delete from CONFIGS where ATTR='web_tls';
DELETE 0

 

Can you give any other fix

Super Guru

@kchaitanya,

 

If that did not help, then it is likely there is another problem.

Please start a new thread and outline what you are trying to do and what is happening.

Also, make sure to review your /var/log/cloudera-scm-server/cloudera-scm-server.log for clues about what problem is occurring.

 

-Ben

Expert Contributor
Thank you for the reply @bgooley, i fixed it by running below command

delete from CONFIGS where ATTR='agent_tls';

Thank you

Super Guru

@kchaitanya,

Indeed, if agent_tls is enabled even without web_tls and there is a problem with the certificate or trust store, then you would need to turn off agent_tls.

 

A big thanks for sharing that solution!

 

New Contributor

Urgent and this for CDP 7.1 

 

I ran below commands against scm database:

 

delete from CONFIGS where ATTR='web_tls';
delete from CONFIGS where ATTR='agent_tls';

 

But still seeing below in the Cloudera Manager logs:

2020-07-17 22:30:44,886 INFO MainThread:com.cloudera.server.cmf.Main: Successfully completed Auto Upgrade
2020-07-17 22:30:44,978 INFO MainThread:com.cloudera.server.cmf.Main: Agent RPC connections will use port: 7182
2020-07-17 22:30:44,978 INFO MainThread:com.cloudera.server.cmf.Main: Agent TLS certificates will be validated.
2020-07-17 22:30:44,985 INFO MainThread:com.cloudera.server.common.HttpConnectorServer: Max heartbeat processing thread: 6 and Max threads for CM agent avro http connector: 120
2020-07-17 22:30:45,029 INFO MainThread:com.cloudera.server.common.HttpConnectorServer: HttpConnectorServer port=7182
2020-07-17 22:30:45,029 INFO MainThread:com.cloudera.server.common.HttpConnectorServer: HttpConnectorServer IdleTime=300000
2020-07-17 22:30:45,058 INFO MainThread:org.eclipse.jetty.server.Server: jetty-9.4.14.v20181114; built: 2018-11-14T21:20:31.478Z; git: c4550056e785fb5665914545889f21dc136ad9e6; jvm 1.8.0_181-b13
2020-07-17 22:30:45,081 WARN MainThread:org.eclipse.jetty.security.SecurityHandler: ServletContext@o.e.j.s.ServletContextHandler@62408bf4{/,null,STARTING} has uncovered http methods for path: /*
2020-07-17 22:30:45,089 INFO MainThread:org.eclipse.jetty.server.handler.ContextHandler: Started o.e.j.s.ServletContextHandler@62408bf4{/,null,AVAILABLE}
2020-07-17 22:30:45,093 ERROR MainThread:com.cloudera.server.cmf.Main: Failed to start Agent listener.
2020-07-17 22:30:45,093 ERROR MainThread:com.cloudera.server.cmf.Main: Server failed.
org.apache.avro.AvroRuntimeException: java.io.IOException: Keystore was tampered with, or password was incorrect
at com.cloudera.server.common.HttpConnectorServer.start(HttpConnectorServer.java:224)
at com.cloudera.server.cmf.Main.startAgentServer(Main.java:590)
at com.cloudera.server.cmf.Main.run(Main.java:646)
at com.cloudera.server.cmf.Main.main(Main.java:247)
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
at java.security.KeyStore.load(KeyStore.java:1445)
at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:54)
at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1137)
at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:313)
at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:248)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:138)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:94)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:138)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:282)
at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:236)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.server.Server.doStart(Server.java:394)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at com.cloudera.server.common.HttpConnectorServer.start(HttpConnectorServer.java:222)
... 3 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)
... 25 more
2020-07-17 22:30:54,291 INFO ScmActive-0:com.cloudera.server.cmf.components.ScmActive: ScmActive completed successfully.
2020-07-17 22:31:09,276 INFO pool-201-thread-1:com.cloudera.server.cmf.components.CmServerStateSynchronizer: Cleanup is started.

 

 

 

Still not able to access the Cloudera Manager UI, please assist.

New Contributor

Today I ran into this same issue but the solutions in the post didn't resolve the problem.  I found each time you would start cloudera-scm-server (sudo systemctl start cloudera-scm-server) it would just add the entries back to the database we are instructed to delete.  

 

The following did resolve the problem -

Edit /var/lib/cloudera-scm-server/certmanager/cm_init.txt

Change the following top 3 lines from true to false as follows.

setsettings AGENT_TLS false

setsettings WEB_TLS false

setsettings NEED_AGENT_VALIDATION false

 

Then stop and start the cloudera-scm-server.

This time you will see the entries back in the DB but they'll be set to false.

On the database server you can run the following to confirm they are set to false now.

select * from CONFIGS where ATTR='web_tls';

select * from CONFIGS where ATTR='agent_tls';

; ;