hadoop key create' fails with 'the trustAnchors parameter must be non-empty'

0 votes
3 views
asked Oct 22, 2017 by anonymous
Summary
Symptoms
'hadoop key create' fails with the following error, 
17/06/07 10:49:00 WARN kms.LoadBalancingKMSClientProvider: KMS provider at [http://kms_host_1.example.com:16000/kms/v1/] threw an IOException [User:test_user not allowed to do 'CREATE_KEY' on 'key01']!!

kms.log has the following exceptions:
2017-06-09 11:26:56,189 WARN org.apache.hadoop.security.LdapGroupsMapping: Failed to get groups for user test_user (retry=2) by javax.naming.CommunicationException: simple bind failed: ldap.example.com:636 [Root exception is javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty]


 
Applies To
Cause

Key Management Server cannot resolve group mapping if org.apache.hadoop.security.LdapGroupsMapping is set in HDFS + if KMS does not have TLS/SSL for Key Management Server Proxy enabled.
 

Instructions

Enable and configure the following in 'CM Admin Console > KMS > Configuration : Category:Security':

Enable TLS/SSL for Key Management Server Proxy
Key Management Server Proxy TLS/SSL Server JKS Keystore File Location
Key Management Server Proxy TLS/SSL Server JKS Keystore File Password
Key Management Server Proxy TLS/SSL Certificate Trust Store File
Key Management Server Proxy TLS/SSL Certificate Trust Store Password

Cloudera Documentation regarding above configurations.

Please log in or register to answer this question.

...