Support Questions

Find answers, ask questions, and share your expertise

Who agreed with this topic

oozie cli doesn't work after enabling tls option

avatar
Expert Contributor

Hi Guys,

 

I have a problem with oozie on my cloudera cluster. I enabled TLS encryption for admin console and Agents. I specified Keystore and Truststore File location and passwords in configuration tab for oozie.

 

When i try to curl oozie:

oozie admin -oozie https://ukgs2hdm02.cwglobal.local:11443/oozie -status

 

Error: IO_ERROR : java.io.IOException: Error while connecting Oozie server. 
No of retries = 1. Exception = sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I was thinking about importing host certificate to a default java keystore but find this:

 

/opt/jdk1.7.0_79/jre/lib/security/cacerts
/opt/cloudera/parcels/CDH-5.5.4-1.cdh5.5.4.p0.9/lib/hue/build/env/lib/python2.6/site-packages/boto-2.38.0-py2.6.egg/boto/cacerts
/usr/lib/jvm/java-1.5.0-gcj-1.5.0.0/jre/lib/security/cacerts
/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.101.x86_64/jre/lib/security/cacerts
/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.39.x86_64/jre/lib/security/cacerts
/usr/java/jdk1.7.0_67-cloudera/jre/lib/security/cacerts
/usr/java/jdk1.6.0_31/jre/lib/security/cacerts
/etc/pki/ca-trust/extracted/java/cacerts
/etc/pki/java/cacerts

and I don't know which one should I use?

 

Here are my files related to cert:

-rw-r-----. 1 root         tls  1996 May 31 13:08 cdh_host.key
-rw-r-----. 1 root         tls  2159 May 31 13:08 cdh_host.keystore
-r--r-----. 1 oozie        tls  2159 Sep 13 09:45 cdh_host.oozie.keystore
-rw-r-----. 1 root         tls  1123 May 31 13:08 cdh_host.pem
-r-xr--r--. 1 cloudera-scm tls  8754 Sep  7 13:39 truststore.jks
-rw-r-----. 1 root         tls 11961 Sep  7 13:39 truststore.pem
-rw-r-----. 1 root         tls   789 May 31 13:08 ukgs2hdm02.cwglobal.local.cer

oozie keystore is the same as the host keystore.

 

I have added certificate to all default java truststores and still the same problem.

 

Oozie web console works just fine.

 

Any ideas?

Who agreed with this topic