Support Questions
Find answers, ask questions, and share your expertise

name nodes not working after Ssl encryption

name nodes not working after Ssl encryption

New Contributor

I did a setup of Cloudera ( CDH 6.3) cluster with two Namenodes(High availability enabled) and two Datanodes . Then i enabled kerberos . 

Now i want to generate keystore and truststore files and enable ssl encryption on the cluster. How to do it ? I tried generating keystore and truststore with java keytool on each node and enabled hadoop ssl also , with paths and passwords to keystore and truststore.But now when i run hdfs service ,my namenodes are down . Could someone list exact steps i should follow from generating keystores to enabling ssl encryption?

3 REPLIES 3
Highlighted

Re: name nodes not working after Ssl encryption

Contributor

How are you trying to enable SSL? Are you using self signed certificates or signed certificates from Certificate Authority? Are you doing 1 way SSL or 2 way SSL?

A general rule is that you should import server certificates in clients truststore and in case of HDFS daemons they act as both servers and clients so it requires additional setup to import certificates on both the hosts.

Hope this helps.

Highlighted

Re: name nodes not working after Ssl encryption

New Contributor

.

I enabled Hadoop TLS\SSL configuration on cloudera manager and created self signed certificates on my cluster which will be the server.  I am not sure whether the configuration creates one way ssl or two way ssl . But i want just the server to authenticate the client , so i guess my requirement is one way ssl . But the problem is after enabling that configuration , hdfs service doesnot start  and the namenodes are neither in active mode nor in standby, they just appear as namenodes . So, i have not been able to connect to my server through my client as hdfs service is not even running on my server.

Highlighted

Re: name nodes not working after Ssl encryption

Contributor

Can you provide errors from hdfs log file ? It seems to me that it is likely to be a handshake problem but logs can give more insight. You should double check the keystore and truststore (i am not sure of Cloudera Manager) to understand they are setup correctly.

Don't have an account?