Support Questions
Find answers, ask questions, and share your expertise

ranger installation issues with ranger UI


I have installed basic ranger via ambari on HDP2.2.6(ORACLE AS METADATA)

Installed fine.But I can not open Ranger UI-fails with username password not valid for admin/admin.

When I see catalina.out? ,below error:

INFO: Initializing ProtocolHandler ["http-bio-6182"] Oct 04, 2016 3:20:28 AM getStore SEVERE: Failed to load keystore type JKS with path /etc/ranger/admin/keys/server.jks due to /etc/ranger/admin/keys/server.jks (No such file or directory) /etc/ranger/admin/keys/server.jks (No such file or directory)

Am stuck on this.No luck.Please suggest.Tried updating directory with 777 but no luck.



Super Guru

@Rajat Dua what version of Ambari are you using to install ranger?


@Rajat Dua - is this SSL enabled ? It looks like the /etc/ranger/admin/keys/server.jks file is unavailable.


@Chethana Krishnakumar

@Neeraj Sabharwal

@Sunile Manjee


I am using ambari 2.2 with secureed HDP2.2.6

I need to set up knox n Ranger with AD and facing issues with it.

Do I need to perform certain steps to enable SSL to generate jks keys?(*#ranger)

Second for Knox (I have two VM's with basic configuration on load balancer),I see there are two ways to do :

a)Add these VM's as new host via ambari and install knox

b)Manually Install without adding host .

Which method is recommended for Production set up?

I am trying both ways on lab clusters I have ,but stuck on below:

Knox works ok for NON AD/ldap set up.But when I try to give AD configs





I get below exception:

root@insionft01 keystores]# curl -i -u guest:guest-password ""

curl: (60) Peer certificate cannot be authenticated with known CA certificates

More details here:

curl performs SSL certificate verification by default, using a "bundle"

of Certificate Authority (CA) public keys (CA certs). If the default

bundle file isn't adequate, you can specify an alternate file

using the --cacert option.

If this HTTPS server uses a certificate signed by a CA represented in

the bundle, the certificate verification probably failed due to a

problem with the certificate (it might be expired, or the name might

not match the domain name in the URL).

If you'd like to turn off curl's verification of the certificate, use

the -k (or --insecure) option.

Is it something I need to request windows team for :below or I can self generate on my own for Production set up?

1.Your LDAP or AD Digital Certificate: <ldap>.crt

2.The company's Digital CA Cert: <company_ca>.crt

3.The certificate/ key pair for the gateway node: <gateway_node>.crt and <gateway_node>.pem

4.The passphrase for the above gateway node key.

Any best practice document for knox,ranger with AD will be of great help.




any update pls.KNOX/RANGER with LDAP?


@Chethana Krishnakumar @Sunile Manjee @Neeraj Sabharwal

I tested on Lan and imported certificate in cluster for knox as below:

1st Command

openssl.exe pkcs12 -in insi.pfx -nocerts -out P1.pem

2nd command

openssl.exe rsa -in P1.pem -out private.pem

3rd command

openssl.exe pkcs12 -in insi.pfx -clcerts -nokeys -out RCert.pem

[root@insionft01 cert]# openssl pkcs12 -in insi.pfx -nocerts -out P1.pem

Enter Import Password:

MAC verified OK

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

[root@insionft01 cert]#

[root@insionft01 cert]# keytool -importcert -trustcacerts -file insionft01.cer -storepass changeit -noprompt -alias MyLdapCert -keystore /usr/java/jdk1.8.0_74/jre/lib/security/cacerts

Certificate was added to keystore

[root@insionft01 cert]#

But still we face same ) Peer certificate cannot be authenticated with known CA certificates error

Any best practice document made will help as probably I must be missing certain configs or some steps in LDAP/AD.




@Chethana Krishnakumar thanks ,you have any good link or best practice for Knox as well?