About suraj_lawand

suraj_lawand · ‎12-26-2018

@Aditya Sirna Can you please suggest how to remove params. As I tried but unable to save the configuration and restart storm.

suraj_lawand · ‎05-08-2018

Hello, Certificates were not created properly. I have compared another working certificate with this certificate and found mismatch. I have verified certificate through openssl command and then I have copied required certificates from other working application server to issued one. Issue is resolved now but still unable find why below commands doesn't works on server sudo /usr/jdk64/jdk1.8.0_112/bin/keytool -import -trustcacerts -noprompt -storepass xxxx -alias abc-sha2 -file /home/ec2-user/abc-sha2.cer -keystore /usr/jdk64/jdk1.8.0_112/jre/lib/security/cacerts

suraj_lawand · ‎04-25-2018

@JZ I have replaced keystore/truststore with below commands. Where Ab-ssl-sha2.cer is a certificate used to convert to keystore/truststore. /usr/jdk64/jdk1.8.0_112/bin/keytool -import -file /home/Ab-ssl-sha2.cer -keystore /etc/nifi/3.0.1.1-5/0/keystore.jks -alias keystore_internal /usr/jdk64/jdk1.8.0_112/bin/keytool -import -file /home/Ab-ssl-sha2.cer -keystore /etc/nifi/3.0.1.1-5/0/truststore.jks -alias truststore_internal Can you please suggest, where need to do changes?

suraj_lawand · ‎04-24-2018

@JZ I'm facing similar error. I am using Nifi 1.2.0. with HTTPS and LDAPS. Recently I have updated the certificated and started facing below error. I can access Nifi webgui. When I'm trying to copy files from Nifi gui to S3, I'm getting the below errors. Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491) ... 50 common frames omitted Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) <br> I have kept, cacert files in java path /usr/jdk64/jdk1.8.0_112/jre/lib/security/cacerts<br> and keystore/trustore files /etc/nifi/3.0.1.1-5/0/keystore.jks /etc/nifi/3.0.1.1-5/0/truststore.jks<br> I not getting clear, where exactly valid certification path is located. If you know, please suggest.

suraj_lawand · ‎04-24-2018

I Have faced similar error. In my case Nifi was running fine but in cluster, nodes was not connected. In nifi-app.log found below errors. ERROR [Curator-Framework-0] o.a.c.f.imps.CuratorFrameworkImpl Background retry gave up org.apache.curator.CuratorConnectionLossException: KeeperErrorCode = ConnectionLoss Solution - ZK services was not running. I have started first then started Nifi cluster. Now Nifi nodes are connected properly in a cluster and cluster is running fine.

suraj_lawand · ‎04-18-2018

@JZ Can you please suggest - as per https://community.hortonworks.com/questions/167502/nifi-ssl-unable-to-find-valid-certification-path-t.html

suraj_lawand · ‎04-17-2018

Hi Team, When I'm trying put a file in S3 through Nifi Web UI, getting below error. Whether through Aws CLI, I can copy files to S3 from Nifi servers. I have updated the cacerts file in below paths /usr/jdk64/jdk1.8.0_112/jre/lib/security/cacerts /usr/lib/jvm/java-1.5.0-gcj-1.5.0.0/jre/lib/security/cacerts Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491) ... 50 common frames omitted Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ... 56 common frames omitted 2018-04-17 01:33:54,624 ERROR [Timer-Driven Process Thread-3] o.a.nifi.processors.aws.s3.PutS3Object PutS3Object[id=9d2034-02b3e9b22] Error checking S3 Multipart Upload list for non-prod-on-prem-dropoff: Unable to execute HTTP request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 2018-04-17 01:33:54,694 ERROR [Timer-Driven Process Thread-3] o.a.nifi.processors.aws.s3.PutS3Object PutS3Object[id=9d202b3e9b22] Failed to put StandardFlowFileRecord[uuid=be294f52-c,claim=StandardContentClaim [resourceClaim=StandardResourceClaim[id=1523871738280-1, container=default, section=1], offset=50440, length=10088],offset=0,name=test3,size=10088] to Amazon S3 due to com.amazonaws.SdkClientException: Unable to execute HTTP request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target: {} com.amazonaws.SdkClientException: Unable to execute HTTP request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

suraj_lawand · ‎12-14-2017

I followed the steps given above but getting below error. 8080 port is not listening as ambari-server service is not running. I tried to start the service but it fails. Please suggest curl -H "X-Requested-By: ambari" -X POST -u admin:admin http://192.168.10.10:8080/api/v1/blueprints/single-node-hdp-cluster -d @cluster_configuration.json curl: (7) Failed connect to 192.168.10.10:8080; Connection refused

suraj_lawand · ‎12-13-2017

@Kuldeep Kulkarni Can you please elaborate step 4? How do you created blueprint? Where need to put this file "api/v1/blueprints" from this url "http://<ambari-hostname>:8080/api/v1/blueprints/<blueprint-name" ?

suraj_lawand · ‎11-17-2017

I found the solution. Issue is fixed now. In my case, one of LDAP username is 'dvteam' but in LDAP database there was full description of username as 'architecture dev team, locations, team details, etc'. Error messages I found in nifi-user.log. is 'architecture dev team' user was trying to authenticate with nifi nodes. Authentication was successful but authorizations not happening. The username which I've mentioned in initial admin identity was 'dvteam'.(cn=dvteam,ou=xx,ou=xx,ou=xx,ou=xx,dc=abc,dc=com) Then as per logs, I changed it to (cn=architecture dev team,ou=xx,ou=xx,ou=xx,ou=xx,dc=abc,dc=com) Also there was some mismatch about host names in node identities section. 'hostname -f' shows a hostname ip-zz-xx-ec2-internal. So, I have given 'ip-zz-xx-ec2-internal' in node identities section but that was not working. Then I have changed the hostnames to 'nifi1.abc.local' and mentioned in node identities. In 'Template for login-identity-providers.xml' I've made some changes. Earlier I had set 'use_username' in '<property name="Identity Strategy">USE_DN</property>' this section. later I've changed to use_dn. because as per nifi-user log authentication is happening with LDAP user 'architecture dev team'. So in my case user_username was not working for authentications. Every configurations changes I used to remove authorizations.xml and users.xml file from my all nifi nodes. Also There was confusion on about 'OU' in Node identities section. What does it mean OU in node identities section? I don't know yet. Later I've mentioned 'OU=nifi' and also gave host names as 'nifi1.abc.local' , 'nifi2.abc.local', etc. I have added AD/LDAP user in Initial Admin Identity(cn=architecture dev team,ou=xx,ou=xx,ou=xx,ou=xx,dc=abc,dc=com) After setting above all, I was facing an error about setting nifi.security.identity.mapping.pattern.dn. There was a challenge about the pattern definition. There was 4 'ou' I have defined in initial admin identities and login-identity-providers.xml. So I've used below pattern and it worked well. ^cn=(.?),ou=(.?),ou=(.?),ou=(.?),ou=(.?),dc=(.?),dc=(.?)$ Note: I have removed Ranger completely. Thanks, Suraj

Online	Offline
Last Visited	‎12-26-2018 10:25 AM

Member Since	‎09-03-2017 09:51 AM
Last Visited	‎12-26-2018 10:25 AM
Posts	55

Cloudera Community

Re: Storm - Supervisor and Nimbus dropping immedia...

Re: NiFi SSL - unable to find valid certification ...

Re: NiFi SSL - unable to find valid certification ...

Re: NiFi SSL - unable to find valid certification ...

Re: NiFi Cluster : Startup exception "Cluster is s...

Re: PKIX path building failed. unable to find vali...

PKIX path building failed. unable to find valid ce...

Re: Automate HDP installation using Ambari Bluepri...

Re: Automate HDP installation using Ambari Bluepri...

Re: How to give permissions to users to access Nif...