Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Who agreed with this topic

oozie cli doesn't work after enabling tls option

Rising Star

Hi Guys,

 

I have a problem with oozie on my cloudera cluster. I enabled TLS encryption for admin console and Agents. I specified Keystore and Truststore File location and passwords in configuration tab for oozie.

 

When i try to curl oozie:

oozie admin -oozie https://ukgs2hdm02.cwglobal.local:11443/oozie -status

 

Error: IO_ERROR : java.io.IOException: Error while connecting Oozie server. 
No of retries = 1. Exception = sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I was thinking about importing host certificate to a default java keystore but find this:

 

/opt/jdk1.7.0_79/jre/lib/security/cacerts
/opt/cloudera/parcels/CDH-5.5.4-1.cdh5.5.4.p0.9/lib/hue/build/env/lib/python2.6/site-packages/boto-2.38.0-py2.6.egg/boto/cacerts
/usr/lib/jvm/java-1.5.0-gcj-1.5.0.0/jre/lib/security/cacerts
/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.101.x86_64/jre/lib/security/cacerts
/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.39.x86_64/jre/lib/security/cacerts
/usr/java/jdk1.7.0_67-cloudera/jre/lib/security/cacerts
/usr/java/jdk1.6.0_31/jre/lib/security/cacerts
/etc/pki/ca-trust/extracted/java/cacerts
/etc/pki/java/cacerts

and I don't know which one should I use?

 

Here are my files related to cert:

-rw-r-----. 1 root         tls  1996 May 31 13:08 cdh_host.key
-rw-r-----. 1 root         tls  2159 May 31 13:08 cdh_host.keystore
-r--r-----. 1 oozie        tls  2159 Sep 13 09:45 cdh_host.oozie.keystore
-rw-r-----. 1 root         tls  1123 May 31 13:08 cdh_host.pem
-r-xr--r--. 1 cloudera-scm tls  8754 Sep  7 13:39 truststore.jks
-rw-r-----. 1 root         tls 11961 Sep  7 13:39 truststore.pem
-rw-r-----. 1 root         tls   789 May 31 13:08 ukgs2hdm02.cwglobal.local.cer

oozie keystore is the same as the host keystore.

 

I have added certificate to all default java truststores and still the same problem.

 

Oozie web console works just fine.

 

Any ideas?

Who agreed with this topic