Okay, only Oozie also needed the change but now everything is working! Will have to figure out longer term plan, but first things first.  ... View more

Thanks for the reply! I had come to the same conclusion, although you may not believe it. Sentry is back up and I'm trying to restart things to see where else it might break, at this time! I appreciate your replies and will follow up if I succeed or hit a different issue.  ... View more

I suspect it is. I have a working theory now. The mysql version installed looks like it supports TLS 1.0 and 1.1 only. This is a recent version of Open JDK and it could be that it does not work with TLS below 1.2. ... View more

Not sure how to check for that. ... View more

Applied the config, but get same error from Sentry as above when initiating Rolling Restart to apply configuration. ... View more

Added this setting: export JAVA_HOME="/usr/lib/jvm/java-1.8.0-openjdk" Restart of CM worked this time. Rolling restart of services fails with same error above at Sentry service. Do you know if it is safe to remove custom keystore settings for oracle jdk? I can't find a lot of info on this. This is a Kerberized cluster.   Looks like the setting is fine from service status: cm-server[135721]: JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk ... View more

I'll give this a try, anyway. I don't think I had it in the current state the other time I tried it. Will post results. ... View more

With that in the settings, CM does not start. I think it is because this is version 6.3.0 and perhaps that setting is not valid until a minor version higher. Do you know if I can remove the custom settings pointing to the old trusstore (/usr/java/default/jre/lib/security/jssecacerts ) as this directory no longer exists? ... View more

Digging into this a little more, I see the old Oracle JDK location in a few config settings. Can someone tell me if it is safe to just remove this and restart CM? Or do I need to build truststore in Open JDK location?  ... View more

Made some progress since this morning. Rebooted the cluster and that allowed me to log in to CM. CM was showing Open JDK as would be expected (under support/about).  Saw an error in the log and figured out that CM had path to Oracle JDK cert store in parameters. Removed that and CM service restarted successfully.. Attempted rolling restart of services to get cluster back up and running. HDFS and a few others came up, but restart stopped at Sentry with following:  sentry.sh at com.mysql.jdbc.ExportControlled.transformSocketToSSLSocket(ExportControlled.java:201) at com.mysql.jdbc.MysqlIO.negotiateSSLConnection(MysqlIO.java:4912) at com.mysql.jdbc.MysqlIO.proceedHandshakeWithPluggableAuthentication(MysqlIO.java:1663) at com.mysql.jdbc.MysqlIO.doHandshake(MysqlIO.java:1224) at com.mysql.jdbc.ConnectionImpl.coreConnect(ConnectionImpl.java:2190) at com.mysql.jdbc.ConnectionImpl.connectOneTryOnly(ConnectionImpl.java:2221) at com.mysql.jdbc.ConnectionImpl.createNewIO(ConnectionImpl.java:2016) at com.mysql.jdbc.ConnectionImpl.<init>(ConnectionImpl.java:776) at com.mysql.jdbc.JDBC4Connection.<init>(JDBC4Connection.java:47) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at com.mysql.jdbc.Util.handleNewInstance(Util.java:425) at com.mysql.jdbc.ConnectionImpl.getInstance(ConnectionImpl.java:386) at com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:330) at java.sql.DriverManager.getConnection(DriverManager.java:664) at java.sql.DriverManager.getConnection(DriverManager.java:208) at com.jolbox.bonecp.BoneCP.obtainRawInternalConnection(BoneCP.java:361) at com.jolbox.bonecp.BoneCP.<init>(BoneCP.java:416) ... 39 more Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate) at sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:171) at sun.security.ssl.ClientHandshakeContext.<init>(ClientHandshakeContext.java:103) at sun.security.ssl.TransportContext.kickstart(TransportContext.java:220) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:428) at com.mysql.jdbc.ExportControlled.transformSocketToSSLSocket(ExportControlled.java:186) ... 58 more   If someone could point me in the right direction or advise I would appreciate it. From Cloudera documentation, I should not have to set TLS protocols and they are commented out in server config file. ... View more