hadoop key create' fails with 'the trustAnchors parameter must be non-empty'

Question

Summary Symptoms 'hadoop key create' fails with the following error,  17/06/07 10:49:00 WARN kms.LoadBalancingKMSClientProvider: KMS provider at [http://kms_host_1.example.com:16000/kms/v1/] threw an IOException [User:test_user not allowed to do 'CREATE_KEY' on 'key01']!! kms.log has the following exceptions: 2017-06-09 11:26:56,189 WARN org.apache.hadoop.security.LdapGroupsMapping: Failed to get groups for user test_user (retry=2) by javax.naming.CommunicationException: simple bind failed: ldap.example.com:636 [Root exception is javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty]   Applies To Cause Key Management Server cannot resolve group mapping if org.apache.hadoop.security.LdapGroupsMapping is set in HDFS + if KMS does not have TLS/SSL for Key Management Server Proxy enabled.   Instructions Enable and configure the following in 'CM Admin Console > KMS > Configuration : Category:Security': Enable TLS/SSL for Key Management Server Proxy Key Management Server Proxy TLS/SSL Server JKS Keystore File Location Key Management Server Proxy TLS/SSL Server JKS Keystore File Password Key Management Server Proxy TLS/SSL Certificate Trust Store File Key Management Server Proxy TLS/SSL Certificate Trust Store Password Cloudera Documentation regarding above configurations.