Support Questions

@Jay SenSharma : I tried changing the name of key-file but still getting the same alert.

[oozie@m2 ~]$ source /usr/hdp/current/oozie-server/conf/oozie-env.sh

[oozie@m2 ~]$ oozie admin -oozie https://m2.hdp22:11443/oozie -status

Error: IO_ERROR : java.io.IOException: Error while connecting Oozie server. No of retries = 1. Exception = java.security.cert.CertificateException: No name matching m2.hdp22 found

[oozie@m2 ~]$ hostname -f

m2.hdp22

[oozie@m2 ~]$ ls -ltr

total 8

-rw-r--r-- 1 oozie hadoop 2245 Mar 31 05:15 keystore.jks

-rw-r--r-- 1 oozie hadoop 2245 Apr 5 05:08 m2.hdp22.jks

@Saurabh

Sorry that i was not very clear. You said "I tried changing the name of key-file but still getting the same alert."

This is because i never asked you to change the key file name. In my last comment i said "you should recreate your certificates with the exact FQDN base", which means you need to regenerate the keystore and while creating the keystore it will ask for "CN" (common Name) there you should be using the "hostname -f" command output as CN.

Example:

keytool -genkey -v -alias testalias -keyalg RSA -keysize 1024 -keystore /etc/certs/serverKeystore.jks -validity 365 -keypass keypass1 -storepass keypass1 -dname "CN=yourFQDN, OU=someOU, O=Hwx, L=Bangalore, S=KA, C=IN"

.

Notice the CN here, it should be correct.

sorry for misunderstanding, I recreated only and used, it was by mistake typed changed.

[oozie@m2 ~]$ keytool -genkey -keyalg RSA -alias ooziehost -keystore m2.hdp22.jks -validity 360 -keysize 2048

Enter keystore password:

Re-enter new password:

What is your first and last name?

[Unknown]:

What is the name of your organizational unit?

[Unknown]:

What is the name of your organization?

[Unknown]:

What is the name of your City or Locality?

[Unknown]:

What is the name of your State or Province?

[Unknown]:

What is the two-letter country code for this unit?

[Unknown]:

Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?

[no]: yes

Enter key password for <ooziehost>

(RETURN if same as keystore password):

Re-enter new password:

@Saurabh

This is not correct:

CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct

.

In CN you should enter valiid hostname (FQDN) that is resolvable. Please try entering some meaningful values for these attributes od "dname" and then try. Specially the CN part.

.

Re-posting the SSL implementation says. (RFC 2818 states: (Section 3.1, para 4) https://tools.ietf.org/html/rfc2818#section-3.1

"If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead."

@Jay SenSharma

Still the same :

[oozie@m2 ~]$ keytool -genkey -keyalg RSA -alias ooziehost -keystore m2.hdp22.jks -validity 360 -keysize 2048

Enter keystore password:

Re-enter new password:

What is your first and last name?

[m2.hdp22]:

What is the name of your organizational unit?

[test]: TEST

What is the name of your organization?

[self]: SELF

What is the name of your City or Locality?

[blr]: BLR

What is the name of your State or Province?

[ka]: KA

What is the two-letter country code for this unit?

[IN]:

Is CN=m2.hdp22, OU=TEST, O=SELF, L=BLR, ST=KA, C=IN correct?

[no]: yes

Enter key password for <ooziehost>

(RETURN if same as keystore password):

Re-enter new password:

[oozie@m2 ~]$

[oozie@m2 ~]$

[oozie@m2 ~]$

[oozie@m2 ~]$ ls -ltrh

total 8.0K

-rw-r--r-- 1 oozie hadoop 2.2K Mar 31 05:15 keystore.jks

-rw-r--r-- 1 oozie hadoop 2.2K Apr 6 02:22 m2.hdp22.jks

[oozie@m2 ~]$ source /usr/hdp/current/oozie-server/conf/oozie-env.sh

[oozie@m2 ~]$ oozie admin -oozie https://m2.hdp22:11000/oozie -status

Error: IO_ERROR : java.io.IOException: Error while connecting Oozie server. No of retries = 1. Exception = Unrecognized SSL message, plaintext connection?

I tried the above steps but still getting the same alert in ambari.

I have following points, can you please help me to understand them.

1. Can we have different self signed certificate for each of hadoop web UI(ambari,oozie,NN,RM etc) ?
2. If yes then do we need to setup truststore for every certificate, if yes then how can we achieve that ?

I followed following article for ambari https and for oozie. And both have different way to create certificate and keys.

http://www.hadoopadmin.co.in/enable-https-for-ambari-server/

https://community.hortonworks.com/articles/85270/steps-to-enable-ssl-for-oozie-ui.html