You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ambari.apache.org by Chanel Loïc <lo...@worldline.com> on 2015/05/06 14:12:28 UTC
Kerberos - Algorithme AES256 not enabled
Hi,
Trying to Kerberize my cluster, I encoutered some troubles. When I start to configure security with Ambari wizard, it seems the Ambari server cannot connect to the KDC, while it is on the same network.
Therefore I took a closer look to the corresponding logs, and the main issue seems to be related to the Algorithm AES256, as the main error return "Algorithm AES256 not enabled". As I was a little surprised, I tried to reproduce the bug using a personal minimalistic implementation using the same library that is used by Ambari (org.apache.directory.kerberos.client), but I still get the error "Algorithm AES256 not enable" .
Searching on Google, I saw that this problem could be related to the installation of JCE, so I re-installed it with the proper parameters from Oracle website ( http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html ), but it did not change a thing.
Does someone know where this might come from, or how to avoid this issue ?
Thanks,
Loïc
________________________________
Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
Re: Kerberos - Algorithme AES256 not enabled
Posted by Robert Levas <rl...@hortonworks.com>.
Awesome.. I am glad I could help.
Rob
From: Chanel Loïc <lo...@worldline.com>>
Reply-To: "user@ambari.apache.org<ma...@ambari.apache.org>" <us...@ambari.apache.org>>
Date: Thursday, May 7, 2015 at 11:25 AM
To: "user@ambari.apache.org<ma...@ambari.apache.org>" <us...@ambari.apache.org>>
Subject: RE: Kerberos - Algorithme AES256 not enabled
As I rebooted Ambari, I figured I was not quite sure I did it since I installed JCE policies properly. I think that is where the problem came from, since the AES256 related message disappeared.
Thanks Rob !
Loïc
De : Robert Levas [mailto:rlevas@hortonworks.com]
Envoyé : mercredi 6 mai 2015 14:25
À : user@ambari.apache.org<ma...@ambari.apache.org>
Objet : Re: Kerberos - Algorithme AES256 not enabled
Hi Loïc,
It appears you were heading in the correct direction. The issue is related to the lack of JCE. Once you install the JCE policy jars, you need to restart Ambari. If you have already generated the keytabs for the cluster, you can tell Ambari to regenerate the keytabs and the correct entries should be created. To view the contents of your keytab file, use klist -kte <path to keytab file>. With the -e option you will see the encryption algorithms used to generate the keytab entry.
For example:
# klist -kte /etc/security/keytabs/hdfs.headless.keytab
Keytab name: FILE:/etc/security/keytabs/hdfs.headless.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
1 04/30/15 15:20:14 hdfs@EXAMPLE.COM<ma...@EXAMPLE.COM> (des-cbc-md5)
1 04/30/15 15:20:14 hdfs@EXAMPLE.COM<ma...@EXAMPLE.COM> (aes128-cts-hmac-sha1-96)
1 04/30/15 15:20:14 hdfs@EXAMPLE.COM<ma...@EXAMPLE.COM> (arcfour-hmac)
1 04/30/15 15:20:14 hdfs@EXAMPLE.COM<ma...@EXAMPLE.COM> (aes256-cts-hmac-sha1-96)
1 04/30/15 15:20:14 hdfs@EXAMPLE.COM<ma...@EXAMPLE.COM> (des3-cbc-sha1)
You also need to make sure all of the hosts have the JCE policy jars installed. After they are installed, you should restart all of the services.
I hope this helps,
Rob
From: Chanel Loïc <lo...@worldline.com>>
Reply-To: "user@ambari.apache.org<ma...@ambari.apache.org>" <us...@ambari.apache.org>>
Date: Wednesday, May 6, 2015 at 8:12 AM
To: "user@ambari.apache.org<ma...@ambari.apache.org>" <us...@ambari.apache.org>>
Subject: Kerberos - Algorithme AES256 not enabled
Hi,
Trying to Kerberize my cluster, I encoutered some troubles. When I start to configure security with Ambari wizard, it seems the Ambari server cannot connect to the KDC, while it is on the same network.
Therefore I took a closer look to the corresponding logs, and the main issue seems to be related to the Algorithm AES256, as the main error return "Algorithm AES256 not enabled". As I was a little surprised, I tried to reproduce the bug using a personal minimalistic implementation using the same library that is used by Ambari (org.apache.directory.kerberos.client), but I still get the error "Algorithm AES256 not enable" .
Searching on Google, I saw that this problem could be related to the installation of JCE, so I re-installed it with the proper parameters from Oracle website ( http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html ), but it did not change a thing.
Does someone know where this might come from, or how to avoid this issue ?
Thanks,
Loïc
________________________________
Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
________________________________
Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
RE: Kerberos - Algorithme AES256 not enabled
Posted by Chanel Loïc <lo...@worldline.com>.
As I rebooted Ambari, I figured I was not quite sure I did it since I installed JCE policies properly. I think that is where the problem came from, since the AES256 related message disappeared.
Thanks Rob !
Loïc
De : Robert Levas [mailto:rlevas@hortonworks.com]
Envoyé : mercredi 6 mai 2015 14:25
À : user@ambari.apache.org
Objet : Re: Kerberos - Algorithme AES256 not enabled
Hi Loïc,
It appears you were heading in the correct direction. The issue is related to the lack of JCE. Once you install the JCE policy jars, you need to restart Ambari. If you have already generated the keytabs for the cluster, you can tell Ambari to regenerate the keytabs and the correct entries should be created. To view the contents of your keytab file, use klist -kte <path to keytab file>. With the -e option you will see the encryption algorithms used to generate the keytab entry.
For example:
# klist -kte /etc/security/keytabs/hdfs.headless.keytab
Keytab name: FILE:/etc/security/keytabs/hdfs.headless.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
1 04/30/15 15:20:14 hdfs@EXAMPLE.COM<ma...@EXAMPLE.COM> (des-cbc-md5)
1 04/30/15 15:20:14 hdfs@EXAMPLE.COM<ma...@EXAMPLE.COM> (aes128-cts-hmac-sha1-96)
1 04/30/15 15:20:14 hdfs@EXAMPLE.COM<ma...@EXAMPLE.COM> (arcfour-hmac)
1 04/30/15 15:20:14 hdfs@EXAMPLE.COM<ma...@EXAMPLE.COM> (aes256-cts-hmac-sha1-96)
1 04/30/15 15:20:14 hdfs@EXAMPLE.COM<ma...@EXAMPLE.COM> (des3-cbc-sha1)
You also need to make sure all of the hosts have the JCE policy jars installed. After they are installed, you should restart all of the services.
I hope this helps,
Rob
From: Chanel Loïc <lo...@worldline.com>>
Reply-To: "user@ambari.apache.org<ma...@ambari.apache.org>" <us...@ambari.apache.org>>
Date: Wednesday, May 6, 2015 at 8:12 AM
To: "user@ambari.apache.org<ma...@ambari.apache.org>" <us...@ambari.apache.org>>
Subject: Kerberos - Algorithme AES256 not enabled
Hi,
Trying to Kerberize my cluster, I encoutered some troubles. When I start to configure security with Ambari wizard, it seems the Ambari server cannot connect to the KDC, while it is on the same network.
Therefore I took a closer look to the corresponding logs, and the main issue seems to be related to the Algorithm AES256, as the main error return "Algorithm AES256 not enabled". As I was a little surprised, I tried to reproduce the bug using a personal minimalistic implementation using the same library that is used by Ambari (org.apache.directory.kerberos.client), but I still get the error "Algorithm AES256 not enable" .
Searching on Google, I saw that this problem could be related to the installation of JCE, so I re-installed it with the proper parameters from Oracle website ( http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html ), but it did not change a thing.
Does someone know where this might come from, or how to avoid this issue ?
Thanks,
Loïc
________________________________
Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
________________________________
Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
Re: Kerberos - Algorithme AES256 not enabled
Posted by Robert Levas <rl...@hortonworks.com>.
Hi Loïc,
It appears you were heading in the correct direction. The issue is related to the lack of JCE. Once you install the JCE policy jars, you need to restart Ambari. If you have already generated the keytabs for the cluster, you can tell Ambari to regenerate the keytabs and the correct entries should be created. To view the contents of your keytab file, use klist -kte <path to keytab file>. With the -e option you will see the encryption algorithms used to generate the keytab entry.
For example:
# klist -kte /etc/security/keytabs/hdfs.headless.keytab
Keytab name: FILE:/etc/security/keytabs/hdfs.headless.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
1 04/30/15 15:20:14 hdfs@EXAMPLE.COM (des-cbc-md5)
1 04/30/15 15:20:14 hdfs@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
1 04/30/15 15:20:14 hdfs@EXAMPLE.COM (arcfour-hmac)
1 04/30/15 15:20:14 hdfs@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
1 04/30/15 15:20:14 hdfs@EXAMPLE.COM (des3-cbc-sha1)
You also need to make sure all of the hosts have the JCE policy jars installed. After they are installed, you should restart all of the services.
I hope this helps,
Rob
From: Chanel Loïc <lo...@worldline.com>>
Reply-To: "user@ambari.apache.org<ma...@ambari.apache.org>" <us...@ambari.apache.org>>
Date: Wednesday, May 6, 2015 at 8:12 AM
To: "user@ambari.apache.org<ma...@ambari.apache.org>" <us...@ambari.apache.org>>
Subject: Kerberos - Algorithme AES256 not enabled
Hi,
Trying to Kerberize my cluster, I encoutered some troubles. When I start to configure security with Ambari wizard, it seems the Ambari server cannot connect to the KDC, while it is on the same network.
Therefore I took a closer look to the corresponding logs, and the main issue seems to be related to the Algorithm AES256, as the main error return "Algorithm AES256 not enabled". As I was a little surprised, I tried to reproduce the bug using a personal minimalistic implementation using the same library that is used by Ambari (org.apache.directory.kerberos.client), but I still get the error "Algorithm AES256 not enable" .
Searching on Google, I saw that this problem could be related to the installation of JCE, so I re-installed it with the proper parameters from Oracle website ( http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html ), but it did not change a thing.
Does someone know where this might come from, or how to avoid this issue ?
Thanks,
Loïc
________________________________
Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.