You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Chris Nauroth (JIRA)" <ji...@apache.org> on 2013/09/19 23:31:53 UTC
[jira] [Commented] (HADOOP-9977) Hadoop services won't start with
different keypass and keystorepass when https is enabled
[ https://issues.apache.org/jira/browse/HADOOP-9977?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13772344#comment-13772344 ]
Chris Nauroth commented on HADOOP-9977:
---------------------------------------
The root cause is that {{FileBasedKeyStoresFactory}} does not honor the value of {{ssl.server.keystore.keypassword}} configured in ssl-server.xml. Instead, it uses the value of {{ssl.server.keystore.password}} as both the keystore password and key retrieval password. I have a patch in progress to fix this.
My plan is to continue using the value of {{ssl.server.keystore.password}} as the default if {{ssl.server.keystore.keypassword}} is not configured. This is for backwards-compatibility in case any existing deployments had been omitting keypassword and relying on the old behavior.
> Hadoop services won't start with different keypass and keystorepass when https is enabled
> -----------------------------------------------------------------------------------------
>
> Key: HADOOP-9977
> URL: https://issues.apache.org/jira/browse/HADOOP-9977
> Project: Hadoop Common
> Issue Type: Bug
> Affects Versions: 2.1.0-beta
> Reporter: Yesha Vora
> Assignee: Chris Nauroth
>
> Enable ssl in the configuration. While creating keystore, give different keypass and keystore password. (here, keypass = hadoop and storepass=hadoopKey)
> keytool -genkey -alias host1 -keyalg RSA -keysize 1024 -dname "CN=host1,OU=cm,O=cm,L=san jose,ST=ca,C=us" -keypass hadoop -keystore keystore.jks -storepass hadoopKey
> In , ssl-server.xml set below two properties.
> <property><name>ssl.server.keystore.keypassword</name><value>hadoop</value></property>
> <property><name>ssl.server.keystore.password</name><value>hadoopKey</value></property>
> Namenode, ResourceManager, Datanode, Nodemanager, SecondaryNamenode fails to start with below error.
> 2013-09-17 21:39:00,794 FATAL namenode.NameNode (NameNode.java:main(1325)) - Exception in namenode join
> java.io.IOException: java.security.UnrecoverableKeyException: Cannot recover key
> at org.apache.hadoop.http.HttpServer.<init>(HttpServer.java:222)
> at org.apache.hadoop.http.HttpServer.<init>(HttpServer.java:174)
> at org.apache.hadoop.hdfs.server.namenode.NameNodeHttpServer$1.<init>(NameNodeHttpServer.java:76)
> at org.apache.hadoop.hdfs.server.namenode.NameNodeHttpServer.start(NameNodeHttpServer.java:74)
> at org.apache.hadoop.hdfs.server.namenode.NameNode.startHttpServer(NameNode.java:626)
> at org.apache.hadoop.hdfs.server.namenode.NameNode.initialize(NameNode.java:488)
> at org.apache.hadoop.hdfs.server.namenode.NameNode.<init>(NameNode.java:684)
> at org.apache.hadoop.hdfs.server.namenode.NameNode.<init>(NameNode.java:669)
> at org.apache.hadoop.hdfs.server.namenode.NameNode.createNameNode(NameNode.java:1254)
> at org.apache.hadoop.hdfs.server.namenode.NameNode.main(NameNode.java:1320)
> Caused by: java.security.UnrecoverableKeyException: Cannot recover key
> at sun.security.provider.KeyProtector.recover(KeyProtector.java:328)
> at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:138)
> at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:55)
> at java.security.KeyStore.getKey(KeyStore.java:792)
> at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:131)
> at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:68)
> at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:259)
> at org.apache.hadoop.security.ssl.FileBasedKeyStoresFactory.init(FileBasedKeyStoresFactory.java:170)
> at org.apache.hadoop.security.ssl.SSLFactory.init(SSLFactory.java:121)
> at org.apache.hadoop.http.HttpServer.<init>(HttpServer.java:220)
> ... 9 more
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira