Member since
07-12-2024
3
Posts
1
Kudos Received
0
Solutions
07-22-2024
08:13 AM
1 Kudo
Hi, yes it was a problem with incorrect pass phrase being passed to the keystorePassword.
... View more
07-15-2024
07:26 AM
Hi, I tried following the use case 3. I generated the certificates for all the hosts. When I ran the generateCmCa api, I'm running into this error: Entering HTTP Operation: Method:POST, Path:/v41/cm/commands/generateCmca INFO scm-web-77659:com.cloudera.cmf.service.ServiceHandlerRegistry: Executing Global command GenerateCMCACommand GenerateCmcaCmdArgs{sshPort=22, userName=REDACTED, password=REDACTED, passphrase=REDACTED, privateKey=REDACTED, customCA=true, interpretAsFilenames=true, additionalArguments=null, location=/opt/cloudera/CMCA}. INFO scm-web-77659:com.cloudera.cmf.command.GenerateCmcaCommand: {CLUSTER_NAME} has Kerberos enabled and will be reconfigured to use SASL INFO scm-web-77659:com.cloudera.cmf.command.flow.CmdStep: Executing command 1546436812 work: Execute 14 steps in sequence INFO scm-web-77659:com.cloudera.cmf.command.flow.CmdStep: Executing command 1546436812 work: Generate a CMCA and enable Auto-TLS. INFO scm-web-77659:com.cloudera.cmf.command.GenerateCmcaCmdWork: Determined CMCA location: /var/lib/cloudera-scm-server/certmanager INFO scm-web-77659:com.cloudera.cmf.command.GenerateCmcaCmdWork: Modifying init file if present: /var/lib/cloudera-scm-server/certmanager/cm_init.txt INFO scm-web-77659:com.cloudera.cmf.command.GenerateCmcaCmdWork: Generating CMCA INFO scm-web-77659:com.cloudera.cmf.command.CertmanagerRunner: Running CMCA command with args: [setup_custom_certdir, --host-cert, REDACTED, --host-key, REDACTED, --ca-cert, REDACTED, --keystore-pw-file, /tmp/auto-tls/keys/key.pwd, --truststore-pw-file, REDACTED, --configure-services, --skip-cm-init, --override, keystore_type=jks] ERROR scm-web-77659:com.cloudera.cmf.command.CertmanagerRunner: Failed to run CMCA command, return code: 1, stderr: INFO:root:certmanager not running as root INFO:root:Logging to /var/log/cloudera-scm-agent/certmanager.log Traceback (most recent call last): File "/opt/cloudera/cm-agent/bin/certmanager", line 11, in <module> load_entry_point('cmf==7.6.7', 'console_scripts', 'certmanager')() File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/cmf/tools/cert.py", line 2857, in main return certmanager(obj=argparse.Namespace()) File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/click/core.py", line 716, in __call__ return self.main(*args, **kwargs) File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/click/core.py", line 696, in main rv = self.invoke(ctx) File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/click/core.py", line 1060, in invoke return _process_result(sub_ctx.command.invoke(sub_ctx)) File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/click/core.py", line 889, in invoke return ctx.invoke(self.callback, **ctx.params) File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/click/core.py", line 534, in invoke return callback(*args, **kwargs) File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/click/decorators.py", line 27, in new_func return f(get_current_context().obj, *args, **kwargs) File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/cmf/tools/cert.py", line 2694, in setup_custom_certdir truststore_password) File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/cmf/tools/cert.py", line 2014, in setup_server_with_custom_certs self.copy_node_cert(None, hostname) File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/cmf/tools/cert.py", line 1798, in copy_node_cert keystore_file, hostname, password) File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/cmf/tools/cert.py", line 1607, in _write_keystore_file raise Exception("Failed to generate host pkcs12 file.") Exception: Failed to generate host pkcs12 file. WARN scm-web-77659:com.cloudera.cmf.command.flow.CmdStep: Command 1546436812 Unexpected exception during doWork java.lang.IllegalStateException: Failed to run CMCA command, return code: 1 The ssh user has root permissions assigned. Can you help me with this please @upadhyayk04 Thank you
... View more
07-12-2024
07:40 AM
Hi I have an existing CDP 7.1.x cluster with Auto-tls enabled during the creation of the cluster. I followed the use case 2: https://docs.cloudera.com/cdp-private-cloud-base/7.1.9/security-encrypting-data-in-transit/topics/cm-security-use-case-2.html, to use an existing Root CA. Recently the certificates expired and I'm trying to renew them. I've a couple of questions from the documentation. 1. In the above page, it mentions "In this use case, rotation of the Auto-TLS certificate authority is not supported. Cloudera recommends creating an intermediate CA with a long lifetime. The host certificates can be rotated by using the generateHostCerts API." - Should I use this to generate the host certs. If so, can I get an example of the API call and it's usage. 2. Or should I use this use case 3: https://docs.cloudera.com/cdp-private-cloud-base/7.1.8/security-encrypting-data-in-transit/topics/cm-security-use-case-3.html. Generate the certificates myself and use the generateCmCa api? I don't mind the using the UI too, but I don't think that's feasible with a different Root CA case. Can you suggest how can I go about this please? Thanks
... View more
Labels:
- Labels:
-
Cloudera Data Platform (CDP)