We were able to solve this by locating one of the Cipher Suite which is originally marked as 'disabled' in ambari.properties, and enabled the same by removing the ambari.properties and restarting the server. First tried with removing the ciphers.disabled properties(take a backup), and then restart ambari-server. Used Openssl command to connect to the ambari-server on https port. Identified which cipher suite is being used to establish connection, and then located the corresponding RFC cipher mapping for the cipher suite and removed that in the list of cipher suites listed on the ciphers.disabled property in ambari.properties file. ... View more

@Jay Kumar SenSharma I am having a similar issue on Centos 7.x. Please see https://community.hortonworks.com/comments/222163/view.html. (scroll all the way down to the last comment for exact details of the issue) Ambari-server is up and running, but Ambari Server UI is not accessible. My curl request to the https://<ambari-server host>:8xxx fails with the below message: * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * NSS error -5938 (PR_END_OF_FILE_ERROR) * Encountered end of file * Closing connection 0 curl: (35) Encountered end of file Though all the ambari-agents in the cluster are updated to force the use of TLSV1_2, no luck. Any thoughts? Thanks in advance! ... View more

Hello, I am running into the same issue. We use Centos 7.5 version on our HDP cluster nodes and RHEL updates ran on the ambari-server few days ago, and now I could not access our ambari-server's URL in the browser, as the connection gets dropped. And I see the following in the Ambari-server's logs: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate) And when I run curl to the Ambari-Server's HTTPS url: * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * NSS error -5938 (PR_END_OF_FILE_ERROR) * Encountered end of file * Closing connection 0 My current environment: Ambari Server 2.4.0 for HDP 2.5.0. Python version 2.7.5-69.el7_5 and Openssl version was updated in this server update, to 1.0.2k-12.el7 Should I downgrade to a different build of Python 2.7.5? I always had Python Cert verification disabled, that did not help. Other Options tried: a) Updated the /etc/ambari-server/conf/ambari.properties with the following line: security.server.disabled.protocols=SSL|SSLv2|SSLv2Hello|SSLv3|TLSv1 b) Updated the /etc/ambari-agent/conf/ambari-agent.ini with the following line: force_https_protocol=PROTOCOL_TLSv1_2 Restarted the Ambari-server and the agent after the above update to configuration files, still not working. Kindly please advise. ... View more

@Brazelton Mann I do get the same error as well, did you find a way to resolve this. Thanks. ... View more

Thanks for the instructions. I have a HDP 2.5 cluster and want to move or create all the collection configuration to HDFS directory, instead of local disk. The config you have above is to update the solrconfig.xml for each collection and this works, but is there a way to update the entire thing from Ambari Console by updating the infra-solr-env-template? Thanks in advance for your input. ... View more

This worked. Thanks for the detailed steps. ... View more

Follow this article https://community.hortonworks.com/articles/88259/set-time-to-live-ttl-on-solr-records.html to set the values for the fields _ttl_ and _expire_at_ fields in the solrconfig.xml and related files and upload them to zookeeper and restart ambari-infra-solr services. That will help reducing the disk space usage according to the value of TTL setting. ... View more

Thanks for your article on setting TTL for Solr documents. However, in my environment, I have Ambari Infra-solr auto created cores for hadoop logs that are taking up disk space. I followed the above and updated the managed-schema and solrconfig.xml under /usr/lib/ambari-infra-solr/server/solr/configsets/data_driven_schema_configs/ I used Ambari Dashboard to restart Ambari Infra Solr and Zookeeper services instead of manually starting Solr using your above command. How would we know if Zookeeper and Solr picked up these settings. Thanks Anitha ... View more

I am running into errors from Ambari-infra-solr in HDP 2.5 with a Kerberized and SSL enabled cluster. I noticed that your steps have a separate keytab for solr-spnego. Is this mandatory to do this way? SOLR_KERB_KEYTAB=/etc/security/keytabs/solr-spnego.service.keytab The errors I have are: SASL configuration failed: javax.security.auth.login.LoginException: Pre-authentication information was invalid (24) Will continue connection to Zookeeper server without SASL authentication, if Zookeeper server allows it and '401 Authentication required' Please let me know what I am missing here. ... View more

Thanks for the instructions. I have a Kerberos and HTTPS HDP 2.5 cluster, and after Kerberizing, I see errors in the Ambari infra logs of both the nodes that it could not replicate the index between the solr nodes. Is this related to the above steps? **Note: I am able to access the Solr UI of both the Ambari infra solr nodes, though. Errors: ERROR [c:hadoop_logs s:shard3 r:core_node1 x:hadoop_logs_shard3_replica1] org.apache.solr.update.StreamingSolrClients$1 (StreamingSolrClients.java:79) - error org.apache.solr.common.SolrException: Authentication required and when I restart the Ambari-Infra solr services, I do see the below error as well: Expected mime type application/octet-stream but got text/html. <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <title>Error 401 Authentication required</title> </head> <body><h2>HTTP ERROR 401</h2> <p>Problem accessing /solr/vertex_index_shard1_replica1/get. Reason: <pre> Authentication required</pre></p><hr><i><small>Powered by Jetty://</small></i><hr/> </body> </html> Any inputs on how to resolve this? Recently, I updated the LogSearch UI to HTTPS and that is unable to connect to the Solr instances .. Thanks in advance. ... View more