Sunday, October 8, 2017

issues i faced during cloudera 5.12.1 kerberos setup

------------------------------------------------------------------------------------
Make sure default_ccache_name commented in krb5.conf otherwise beeline bydefault will look /tmp/krb5cc* file in /tmp directory

includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = TANU.COM
# default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 TANUE.COM = {
  kdc = winad.tanu.com
  admin_server = winad.tanu.com
 }

[domain_realm]
 .tanu.com = TANU.COM
 tanu.com = TANU.COM


--------------------------------------------------------------------------------------------
To Debug Cloudera beeline kerberos or any java ssl  related issues can add JVM arguments in blow variables
--------------------------------------------------------------------------------------------

export HADOOP_CLIENT_OPTS="-Dsun.security.krb5.debug=true


-----------------------------------------------------
if you face any issues in agent UID related and want to reattach
-------------------------------------------------------------

stop cloudera-agent
remove the agent from the clouder manager
delete this file /var/lib/cloudera-scm-agent/uuid on agent server
then start the agent
------------------------------------------------------------
setup the SSL/TLS for hive -->  Hive support jks format keystore and truststore
-----------------------------------------------------------------------------

Make sure All the certificate Comman Name should match the hostname (i.e CN=node1.tanu.com)

to create keystore

keytool -genkey -alias hivecert -keyalg RSA -keystore keystore.jks

to create truststore

keytool -export -alias hivecert -file hivecert.cer -keystore keystore.jks

keytool -import -v -trustcacerts -alias hivecert -file hivecert.cer -keystore truststore.ts

add the hue certificate in trustore

first convert hue pem format certificate into der format

openssl x509 -inform der -in hivecert.cer -out hivecert.pem
keytool -import -alias hueserver -keystore truststore.ts -file huecertificate.der

-------------------------------------------------------------------------------------
setup the Hue SSL/TLS --> Hue Support PEM format certificate store
-------------------------------------------------------------------------

To create keystore

openssl req -x509 -newkey rsa:4096 -keyout huekey.pem -out huecert.pem -days 3650

to create truststore or CA bundle

cp huecert.pem huecerttrust.pem

conver the hive der certificate format into pem

openssl x509 -inform der -in hivecert.cer -out hivecert.pem
cat hivecert.pem >>huecerttrust.pem
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)