@Harry Li It is likely the postgresql service was not started. Try to manually start it and re-run ambari-server setup. service postgresql start ... View more

Are you really sure Ambari is running as root. Try doing a ps to be sure: # ps -ef | grep AmbariServer root 3927 13603 0 18:15 pts/0 00:00:00 grep --color=auto AmbariServer root 28360 1 2 16:05 pts/0 00:03:22 /usr/jdk64/jdk1.8.0_77/bin/java -server -XX:NewRatio=3 -XX:+UseConcMarkSweepGC -XX:-UseGCOverheadLimit -XX:CMSInitiatingOccupancyFraction=60 -XX:+CMSClassUnloadingEnabled -Dsun.zip.disableMemoryMapping=true -Xms512m -Xmx2048m -XX:MaxPermSize=128m -Djava.security.auth.login.config=/etc/ambari-server/conf/krb5JAASLogin.conf -Djava.security.krb5.conf=/etc/krb5.conf -Djavax.security.auth.useSubjectCredsOnly=false -Xms512m -Xmx2048m -XX:MaxPermSize=128m -Djava.security.auth.login.config=/etc/ambari-server/conf/krb5JAASLogin.conf -Djava.security.krb5.conf=/etc/krb5.conf -Djavax.security.auth.useSubjectCredsOnly=false -cp /etc/ambari-server/conf:/usr/lib/ambari-server/*:/usr/share/java/postgresql-jdbc.jar org.apache.ambari.server.controller.AmbariServer If Ambari is running as root, does root have a uid and gid of 0? # id root uid=0(root) gid=0(root) groups=0(root) ... View more

Please take a look at the following article to see if that helps - Java/Python Updates and Ambari Agent TLS Settings ... View more

After the searching the internet for "the trustAnchors parameter must be non-empty", it appears that message may mean that the specified trust store was not found or could not be read. Take a look at the values of the following properties in the /etc/ambari-server/conf/ambari.properties file to make sure they are correct: ssl.truststore.path ssl.truststore.password ssl.truststore.type Another thing you might try is to turn off SSL certificate validation when connecting to Active Directory while enabling Kerberos. This can be done by setting the following property in the /etc/ambari-server/conf/ambari.properties file and restart Ambari: kerberos.operation.verify.kdc.trust = false ... View more

@Sivaprakasam Theivanayagam There are various tools you can use to test connectivity. To test the SSL connection and grab the SSL cert, you can use the OpenSSL s_client utility: openssl s_client -connect HOST:PORT To grab the SSL certificate you can use the following command: openssl s_client -connect <AD_HOST_NAME_OR_IP_ADDRESS>:636 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > ad_ldap_server.pem Example: openssl s_client -connect ad_host.example.com:636 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > ad_ldap_server.pem You can then import the ad_ldap_server.pem into Ambari's trust store. This is needed to ensure Ambari trusts the connection to the Active Directory. Later versions of Ambari require this (but the verification process can be turned off if you really want to). To test the LDAP(S) interface, you can use the OpenLDAP ldapsearch utility. You may need to install the openldap-clients package to use it. The following command can be used to test connectivity and list the distinguished names contained in the base DN: ldapsearch -ZZ -h <AD_HOST_NAME_OR_IP_ADDRESS> -D <BIND_DN> -W -b <BASE_DN> dn -ZZ: Start TLS (for LDAPS) -h: IP/hostname of Active Directory server -D: BindDN or User principal name -W: Password (to be provided interactively) -b: Base DN for search (where in the LDAP tree to start looking) Example: ldapsearch -ZZ -h ad_host.example.com -D some_user@EXAMPLE.COM -W -b OU=users,DC=EXAMPLE,DC=COM dn This ldapsearch command may fail if the host does not trust the SSL cert provided by the Active Directory. If so, you can either no use SSL/TLS, turn off OpenLDAP cert validation, or trust the cert. To not use TLS/SSL, remove the -ZZ from the command line. To skip certificate validation, edit the /etc/openldap/ldap.conf file and add the following line TLS_REQCERT never ... View more