Hello, I am running into the same issue. We use Centos 7.5 version on our HDP cluster nodes and RHEL updates ran on the ambari-server few days ago, and now I could not access our ambari-server's URL in the browser, as the connection gets dropped. And I see the following in the Ambari-server's logs: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate) And when I run curl to the Ambari-Server's HTTPS url: * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * NSS error -5938 (PR_END_OF_FILE_ERROR) * Encountered end of file * Closing connection 0 My current environment: Ambari Server 2.4.0 for HDP 2.5.0. Python version 2.7.5-69.el7_5 and Openssl version was updated in this server update, to 1.0.2k-12.el7 Should I downgrade to a different build of Python 2.7.5? I always had Python Cert verification disabled, that did not help. Other Options tried: a) Updated the /etc/ambari-server/conf/ambari.properties with the following line: security.server.disabled.protocols=SSL|SSLv2|SSLv2Hello|SSLv3|TLSv1 b) Updated the /etc/ambari-agent/conf/ambari-agent.ini with the following line: force_https_protocol=PROTOCOL_TLSv1_2 Restarted the Ambari-server and the agent after the above update to configuration files, still not working. Kindly please advise. ... View more

Thanks for the instructions. I have a HDP 2.5 cluster and want to move or create all the collection configuration to HDFS directory, instead of local disk. The config you have above is to update the solrconfig.xml for each collection and this works, but is there a way to update the entire thing from Ambari Console by updating the infra-solr-env-template? Thanks in advance for your input. ... View more

This worked. Thanks for the detailed steps. ... View more

Thanks for your article on setting TTL for Solr documents. However, in my environment, I have Ambari Infra-solr auto created cores for hadoop logs that are taking up disk space. I followed the above and updated the managed-schema and solrconfig.xml under /usr/lib/ambari-infra-solr/server/solr/configsets/data_driven_schema_configs/ I used Ambari Dashboard to restart Ambari Infra Solr and Zookeeper services instead of manually starting Solr using your above command. How would we know if Zookeeper and Solr picked up these settings. Thanks Anitha ... View more

I am running into errors from Ambari-infra-solr in HDP 2.5 with a Kerberized and SSL enabled cluster. I noticed that your steps have a separate keytab for solr-spnego. Is this mandatory to do this way? SOLR_KERB_KEYTAB=/etc/security/keytabs/solr-spnego.service.keytab The errors I have are: SASL configuration failed: javax.security.auth.login.LoginException: Pre-authentication information was invalid (24) Will continue connection to Zookeeper server without SASL authentication, if Zookeeper server allows it and '401 Authentication required' Please let me know what I am missing here. ... View more

Thanks for the instructions. I have a Kerberos and HTTPS HDP 2.5 cluster, and after Kerberizing, I see errors in the Ambari infra logs of both the nodes that it could not replicate the index between the solr nodes. Is this related to the above steps? **Note: I am able to access the Solr UI of both the Ambari infra solr nodes, though. Errors: ERROR [c:hadoop_logs s:shard3 r:core_node1 x:hadoop_logs_shard3_replica1] org.apache.solr.update.StreamingSolrClients$1 (StreamingSolrClients.java:79) - error org.apache.solr.common.SolrException: Authentication required and when I restart the Ambari-Infra solr services, I do see the below error as well: Expected mime type application/octet-stream but got text/html. <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <title>Error 401 Authentication required</title> </head> <body><h2>HTTP ERROR 401</h2> <p>Problem accessing /solr/vertex_index_shard1_replica1/get. Reason: <pre> Authentication required</pre></p><hr><i><small>Powered by Jetty://</small></i><hr/> </body> </html> Any inputs on how to resolve this? Recently, I updated the LogSearch UI to HTTPS and that is unable to connect to the Solr instances .. Thanks in advance. ... View more

Thank you for the reply. I switched to using ambari generated certs for all instead. The instructions were helpful. Thank you. ... View more

***Update - I switched back to using Ambari's generated certificate for agents and the server, as I was getting SSL errors related to having the certs not signed by the same 'CA'. Is this because I was using the self-signed certificate for testing locally? I havent' tried this with the CA signed multiple SAN certificate. Also, while comparing the 'Subject Name' on the certificate generated by the Ambari server and the multiple 'Subject Alternative Name' certificate I intended to use originally, the 'Subject name's would have caused discrepancy. Looks like ambari server looks for the node name in the Subject line, but in the SAN certificate I have, the names of the nodes as part of the 'V3 extensions' in the certificate. If you have any suggestions for this scenario, please post. Thanks. ... View more

I tried your steps above, but the ambari-server generates certificates on the agent nodes. To give some context, I have a single certificate with multiple 'subject alternative names' for all the nodes in the cluster. I put that 1 certificate under the /var/lib/ambari-agent/keys folder on all the agents and as soon as I restart Ambari-server, it still does not pick up my '.crt' instead it begins generating the .key, .csr and .crt. My goal is to use the .crt I have to be used by the agent and server on all the nodes for the two_way_ssl functionality. Please advise. ... View more