Support Questions

Find answers, ask questions, and share your expertise
Celebrating as our community reaches 100,000 members! Thank you!

keystore permission denied error when trying to run "service cloudera-scm-server start"

New Contributor

Hello All...


I have been working to change my cluster over from self-signed certificates to a private CA configuration, using CA provided certificates.  After completing the keystore setup, I executed the following step:

Step 2: Enable HTTPS for the Cloudera Manager Admin Console and Specify Server Keystore Properties

  1. Log into the Cloudera Manager Admin Console.
  2. Select Administration > Settings.
  3. Click the Security category.
  4. Configure the following TLS settings:
    Property Description
    Path to TLS Keystore FileThe complete path to the keystore file. In the example, this path would be:


    Keystore PasswordThe password for keystore: password
    Use TLS Encryption for Admin ConsoleCheck this box to enable TLS encryption for Cloudera Manager.
  5. Click Save Changes to save the settings


Now....  I get the following error when I run the command service cloudera-scm-server start.


Exception in thread "MainThread" org.apache.avro.AvroRuntimeException: /opt/cloudera/security/CAcerts/cmhost-keystore.jks (Permission denied)
        at com.cloudera.server.common.HttpConnectorServer.start(
        at com.cloudera.server.cmf.Main.startAgentServer(
        at com.cloudera.server.cmf.Main.startAvro(
        at com.cloudera.server.cmf.Main.main(
Caused by: /opt/cloudera/security/CAcerts/cmhost-keystore.jks (Permission denied)
        at Method)
        at org.mortbay.resource.FileResource.getInputStream(
        at org.mortbay.component.AbstractLifeCycle.start(
        at org.mortbay.jetty.Server.doStart(
        at org.mortbay.component.AbstractLifeCycle.start(
        at com.cloudera.server.common.HttpConnectorServer.start(
        ... 4 more


Expert Contributor

From the looks of it, the file permissions on the file : /opt/cloudera/security/CAcerts/cmhost-keystore.jks is incorrect.


The process usually runs as cloudera-scm user. So check the permissions on that file.

New Contributor

Hey everyone,

Just wanted to share my experience with the same Solr Server error message I recently encountered. Following @surajacharya advice above, I compared the permissions on the truststore file between a functioning Solr server host and the problematic one. I noticed that the permissions were set to 400 on the problematic host and 644 on the good one.

I went ahead and adjusted the permissions on the truststore file of the problematic host to 644 and then restarted the Solr server. Voila! The issue was resolved. Just thought I'd share this in case someone else runs into a similar problem.