Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

oozie cli doesn't work after enabling tls option

Solved Go to solution
Highlighted

oozie cli doesn't work after enabling tls option

Rising Star

Hi Guys,

 

I have a problem with oozie on my cloudera cluster. I enabled TLS encryption for admin console and Agents. I specified Keystore and Truststore File location and passwords in configuration tab for oozie.

 

When i try to curl oozie:

oozie admin -oozie https://ukgs2hdm02.cwglobal.local:11443/oozie -status

 

Error: IO_ERROR : java.io.IOException: Error while connecting Oozie server. 
No of retries = 1. Exception = sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I was thinking about importing host certificate to a default java keystore but find this:

 

/opt/jdk1.7.0_79/jre/lib/security/cacerts
/opt/cloudera/parcels/CDH-5.5.4-1.cdh5.5.4.p0.9/lib/hue/build/env/lib/python2.6/site-packages/boto-2.38.0-py2.6.egg/boto/cacerts
/usr/lib/jvm/java-1.5.0-gcj-1.5.0.0/jre/lib/security/cacerts
/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.101.x86_64/jre/lib/security/cacerts
/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.39.x86_64/jre/lib/security/cacerts
/usr/java/jdk1.7.0_67-cloudera/jre/lib/security/cacerts
/usr/java/jdk1.6.0_31/jre/lib/security/cacerts
/etc/pki/ca-trust/extracted/java/cacerts
/etc/pki/java/cacerts

and I don't know which one should I use?

 

Here are my files related to cert:

-rw-r-----. 1 root         tls  1996 May 31 13:08 cdh_host.key
-rw-r-----. 1 root         tls  2159 May 31 13:08 cdh_host.keystore
-r--r-----. 1 oozie        tls  2159 Sep 13 09:45 cdh_host.oozie.keystore
-rw-r-----. 1 root         tls  1123 May 31 13:08 cdh_host.pem
-r-xr--r--. 1 cloudera-scm tls  8754 Sep  7 13:39 truststore.jks
-rw-r-----. 1 root         tls 11961 Sep  7 13:39 truststore.pem
-rw-r-----. 1 root         tls   789 May 31 13:08 ukgs2hdm02.cwglobal.local.cer

oozie keystore is the same as the host keystore.

 

I have added certificate to all default java truststores and still the same problem.

 

Oozie web console works just fine.

 

Any ideas?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: oozie cli doesn't work after enabling tls option

Rising Star
Solved. I missed one of the java default truststore files..........
5 REPLIES 5

Re: oozie cli doesn't work after enabling tls option

Rising Star
Solved. I missed one of the java default truststore files..........

Re: oozie cli doesn't work after enabling tls option

Explorer

Hi @andrzej_jedrzej, can you explain how can you solve this problem? 

thank you.

Re: oozie cli doesn't work after enabling tls option

New Contributor

can you explain how did you resolve this issue.

Re: oozie cli doesn't work after enabling tls option

Rising Star
You have to update the default java truststore with your certs, e.g. root CA.
Are you using self-signed certs?

Re: oozie cli doesn't work after enabling tls option

Explorer

Hi, am using self signed certificates and tried to enable TLS parameters to all the services, so except Oozie. Oozie is showing some health issues, Oozie webserver cannot be communicated.