@Phil Zampino, this is a really informative and valuable article. Thanks for writing. Keep it up ! ... View more

@Neha Nirmal Have you tried using "force_https_protocol=PROTOCOL_TLSv1_2" in ambari-agent.ini? ... View more

+1. Very useful article, bookmarked. Thank you! ... View more

Hello @L V, Please make sure that Ambar Server is started with Oracle JDK and not any other JDK. Second, please make sure that all the Ambari agents are using Python 2.6 to start (this can be seen during Agent restart command). There have been some known issues around this which were fixed by using right JDK and right Python library. Hope this helps ! ... View more

Hello @L V, The latest openssl output shows that your Ambari Server is actually working on TLSv1.2. Now please check in Ambari agent log if there is any error while it is trying to connect to Ambari server. Thanks. ... View more

Hello @L V Since you are already on Ambari v2.5.x, you do not need to edit source code. Please put Ambari server in TLSv1.2 only and then run openssl command to check. Please do share the output with us. Thanks. ... View more

Attn @L V ... View more

Oh, then we should look into what happened to Ambari server - agent communication over TLSv1.2. Please have a look at this https://issues.apache.org/jira/browse/AMBARI-18910 and https://issues.apache.org/jira/browse/AMBARI-20831 As per them, the changes should be there in Ambari 2.5.x. Once TLSv1.2 is enabled on Ambari server, please verify the same via openssl CLI like this: openssl s_client -connect localhost:8440 -tls1_2 Regards. ... View more

Hello @L V, To disable TLSv1 & TLS1.1 and enabled TLSv1.2, you don't need to change any source code in Ambari. You can simply change the Ambari server configuration file: ambari.properties. I believe, you did the same. The reason behind losing cluster communication would be Ambari 2.4.x bug where Ambari agents were not able to connect to Ambari server over TLSv1.2. This is fixed in Ambari 2.5.x. Please use this Ambari version and see if you can get TLSv1.2 working. To reiterate, the required Ambari configuration change would be: To disable specific protocols, you can optionally add a list of the following format to ambari.properties. If you specify multiple protocols, separate each protocol using a vertical bar |. security.server.disabled.protocols=SSL|SSLv2|SSLv3 Hope this helps ! ... View more

Hello @Mazin Mohammed, The "Failed to find any Kerberos credentials" error in Namenode log, could also mean wrong / bad Kerberos credential for Namenode process. It does not necessarily always mean client credential. Please check during NameNode startup that if the daemon was able to use nn.service.keytab and spnego.service.keytab both to secure a kerberos credential for itself. You also might want to enable Kerberos debug for NameNode by adding "-Dsun.security.krb5.debug=true" to Namenode command-line argument list. Let us know. Happy hunting ! ... View more