You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ranger.apache.org by Aneela Saleem <an...@platalytics.com> on 2015/09/30 11:55:51 UTC
Issues with usersync (LDAPS certificate not validated)
Hi all,
I followed all the following steps i.e.,
cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts /usr/hdp/2
.2.0.0-2036/ranger-usersync/userSyncCAcerts
keytool -import -trustcacerts -alias openLdap -file cert.pem -keystore
/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
(where cert.pem has the the LDAPS cert)
Add java option
-Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036
/ranger-usersync/userSyncCAcerts
To
/usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh
Where it invokes java command like the following
nohup java -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
. . .
But i'm unable to sync LDAP contacts in Ranger due to certificates
validation issues. Following are the logs
30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Starting User
Sync Service!
30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Enabling Unix
Auth Service!
30 Sep 2015 14:48:56 INFO UserGroupSync [UnixUserSyncThread] -
initializing sink:
org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder
30 Sep 2015 14:48:57 WARN NativeCodeLoader [main] - Unable to load
native-hadoop library for your platform... using builtin-java classes where
applicable
30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
Protocol: [SSLv2Hello]
30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
Protocol: [TLSv1]
30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
Protocol: [TLSv1.1]
30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
Protocol: [TLSv1.2]
30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
LdapUserGroupBuilder created
30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] -
initializing source:
org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder
30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - Begin:
initial load of user/group from source==>sink
30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
LDAPUserGroupBuilder updateSink started
30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
LdapUserGroupBuilder initialization started
30 Sep 2015 14:48:58 ERROR UserGroupSync [UnixUserSyncThread] - Failed to
initialize UserGroup source/sink. Will retry after 21600000 milliseconds.
Error details:
javax.naming.CommunicationException: simple bind failed: platalytics.com:636
[Root exception is javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
at
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
at
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
at javax.naming.InitialContext.init(InitialContext.java:242)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153)
at
org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:149)
at
org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:261)
at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446)
at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:849)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404)
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213)
... 14 more
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428)
... 27 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
... 33 more
And following is the output of nohup command:
Host key verification failed.
Can someone please help me figure out the issue?
Re: Issues with usersync (LDAPS certificate not validated)
Posted by Aneela Saleem <an...@platalytics.com>.
And yes i have already added the certificate to JAVA trust store by using
following method
cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts /usr/hdp/2
.2.0.0-2036/ranger-usersync/userSyncCAcerts
keytool -import -trustcacerts -alias openLdap -file cert.pem -keystore
/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
(where cert.pem has the the LDAPS cert)
Add java option
-Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036
/ranger-usersync/userSyncCAcerts
To
/usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh
Where it invokes java command like the following
nohup java -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
. . .
On Wed, Oct 7, 2015 at 1:52 AM, Aneela Saleem <an...@platalytics.com>
wrote:
> Thanks Neethiraj,
>
> I tried above solution but it still gives following logs
>
> 07 Oct 2015 01:50:35 INFO UnixAuthenticationService [main] - Starting
> User Sync Service!
> 07 Oct 2015 01:50:35 INFO UnixAuthenticationService [main] - Enabling
> Unix Auth Service!
> 07 Oct 2015 01:50:35 INFO UserGroupSync [UnixUserSyncThread] -
> initializing sink:
> org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder
> 07 Oct 2015 01:50:36 WARN NativeCodeLoader [main] - Unable to load
> native-hadoop library for your platform... using builtin-java classes where
> applicable
> 07 Oct 2015 01:50:37 INFO UnixAuthenticationService [main] - Enabling
> Protocol: [SSLv2Hello]
> 07 Oct 2015 01:50:37 INFO UnixAuthenticationService [main] - Enabling
> Protocol: [TLSv1]
> 07 Oct 2015 01:50:37 INFO UnixAuthenticationService [main] - Enabling
> Protocol: [TLSv1.1]
> 07 Oct 2015 01:50:37 INFO UnixAuthenticationService [main] - Enabling
> Protocol: [TLSv1.2]
> 07 Oct 2015 01:50:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
> LdapUserGroupBuilder created
> 07 Oct 2015 01:50:38 INFO UserGroupSync [UnixUserSyncThread] -
> initializing source:
> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder
> 07 Oct 2015 01:50:38 INFO UserGroupSync [UnixUserSyncThread] - Begin:
> initial load of user/group from source==>sink
> 07 Oct 2015 01:50:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
> LDAPUserGroupBuilder updateSink started
> 07 Oct 2015 01:50:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
> LdapUserGroupBuilder initialization started
> 07 Oct 2015 01:50:39 ERROR UserGroupSync [UnixUserSyncThread] - Failed to
> initialize UserGroup source/sink. Will retry after 3600000 milliseconds.
> Error details:
> javax.naming.CommunicationException: simple bind failed: example.com:636
> [Root exception is javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target]
> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218)
> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
> at
> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
> at
> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
> at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
> at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
> at javax.naming.InitialContext.init(InitialContext.java:242)
> at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153)
> at
> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:149)
> at
> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:261)
> at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446)
> at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:849)
> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
> at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
> at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709)
> at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
> at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
> at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431)
> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404)
> at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358)
> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213)
> ... 14 more
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
> at
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
> at sun.security.validator.Validator.validate(Validator.java:260)
> at
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
> at
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
> at
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428)
> ... 27 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> at
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
> ... 33 more
>
>
> On Wed, Oct 7, 2015 at 1:19 AM, Selvamohan Neethiraj <sn...@apache.org>
> wrote:
>
>> Thanks Aneela,
>>
>> This indicates to me that you are using a self-signed certificate (
>> i:/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com ) for the
>> ldap server.
>> Is this certificate added to the Java truststore file (
>> ${JAVA_HOME}/jre/lib/security/cacerts) ?
>>
>> If that is already done, please add the following SSL debug flag to the
>> usersync process and run the usersync to see more detailed SSL error
>> message (in the stdout file) …
>>
>> * -Djavax.net.debug=all*
>>
>> Please let us know if this provides more details to identify the issue …
>>
>> Thanks,
>>
>> Selva-
>>
>> From: Aneela Saleem <an...@platalytics.com>
>> Reply-To: "user@ranger.incubator.apache.org" <
>> user@ranger.incubator.apache.org>
>> Date: Tuesday, October 6, 2015 at 4:06 PM
>>
>> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
>> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>>
>> Hi Neethiraj,
>>
>> Following is the output of above command. Sorry i have changed domain
>> name to now example.com
>>
>>
>> CONNECTED(00000003)
>> depth=0 C = PK, ST = Punjab, L = lahore, O = platalytics, OU = platform,
>> CN = example.com
>> verify error:num=20:unable to get local issuer certificate
>> verify return:1
>> depth=0 C = PK, ST = Punjab, L = lahore, O = platalytics, OU = platform,
>> CN = example.com
>> verify error:num=27:certificate not trusted
>> verify return:1
>> depth=0 C = PK, ST = Punjab, L = lahore, O = platalytics, OU = platform,
>> CN = example.com
>> verify error:num=21:unable to verify the first certificate
>> verify return:1
>> ---
>> Certificate chain
>> 0 s:/C=PK/ST=Punjab/L=lahore/O=platalytics/OU=platform/CN=example.com
>> i:/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com
>>
>> -----BEGIN CERTIFICATE-----
>> MIIDyTCCArGgAwIBAgIJALD35nndyVZ2MA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV
>> BAYTAlBLMQ8wDQYDVQQIDAZQdW5qYWIxFDASBgNVBAoMC3BsYXRhbHl0aWNzMREw
>> DwYDVQQLDAhwbGF0Zm9ybTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMTUxMDA2
>> MTkzNzEwWhcNMTYxMDA1MTkzNzEwWjBuMQswCQYDVQQGEwJQSzEPMA0GA1UECAwG
>> UHVuamFiMQ8wDQYDVQQHDAZsYWhvcmUxFDASBgNVBAoMC3BsYXRhbHl0aWNzMREw
>> DwYDVQQLDAhwbGF0Zm9ybTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqG
>> SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbQggCnHerlgpmKIH4SZ2IsIGl7X8GTovV
>> Xtg0jcnPZa0xtMKo9EfR61HZK+Gfyv0d05WAfN7uy8vfEIWLUX8rAGJWG2j3GIUO
>> EnZg3oi65SUSyVDWKvVCSR+5qjkYZ7/Uf/trOkB35MtPnMzakZzjE1Q42DUKICFj
>> popIITLDzCMrtK3fcVHGEfv2AHhhAxS3psKrWOYkbjU3aYdHs8v32I0FUGt5Jg7S
>> hmBH0HsSb4HUbTh1Pqk1RFcSr8kRQoT1+LHZ19w9/J3D17nyLtOh7svpxDuVXeCE
>> NP25fN91PcKvrzWvMSXwWtzP4lc5cs+o1qKTBSovOyCQkTL6IOwrAgMBAAGjezB5
>> MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENl
>> cnRpZmljYXRlMB0GA1UdDgQWBBQrGnLQImKdyGR5Z+jN3Bb246uiUDAfBgNVHSME
>> GDAWgBS+EGZa4kNXhG4Hw/igdmJYd1zLPTANBgkqhkiG9w0BAQsFAAOCAQEAy9DL
>> ng/ZTXixzJYL0qPdglNE8AcD5N77noxFSNtBefFXk3ZdWa7uCndoOac6EoOoQKVt
>> nVp3d/ZScEu1UmbBlNi2lIpM4V2lADTtwhU07fSm98Cjs6a1T2mEsr5vkxOX4k6K
>> XN/zESQ0sn5+HuxONEcOKcvgZpttRElelZrban0BvX4StQcfG6g/EkS9R5DmmrzI
>> R9yBagkp0Pj1euggt30nCOnCK19sHQIgOo7ZiY3XYwX83zdnLZv/rn94BsXOfqCH
>> CE7wZRaiEznh2WuCeWQD5A9B9ADDplQYZsoqfFbIvJHaeh0Ada/HJNSPh3T98leK
>> bA+MDpEjs64kRdaC2w==
>> -----END CERTIFICATE-----
>> 1 s:/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com
>> i:/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com
>> -----BEGIN CERTIFICATE-----
>> MIIDwzCCAqugAwIBAgIJALD35nndyVZ1MA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV
>> BAYTAlBLMQ8wDQYDVQQIDAZQdW5qYWIxFDASBgNVBAoMC3BsYXRhbHl0aWNzMREw
>> DwYDVQQLDAhwbGF0Zm9ybTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMTUxMDA2
>> MTkzMTEwWhcNMTgxMDA1MTkzMTEwWjBdMQswCQYDVQQGEwJQSzEPMA0GA1UECAwG
>> UHVuamFiMRQwEgYDVQQKDAtwbGF0YWx5dGljczERMA8GA1UECwwIcGxhdGZvcm0x
>> FDASBgNVBAMMC2V4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
>> CgKCAQEA0v/DuFdb+V4fpbPYnJpAzvca6DQaPJPdiEtkTcu/t8qKoiH5W8Pj6F95
>> nUhr/7oyGSnaZSZAGeYYzRfs4C/G3Fo+ZPw5Tm/5KGWLZG/SDDWMjwgOdPfvfTwb
>> P6nBOdlnW3OP7fOnKmvUJtml/N5IhNn20Sn0aHFFIRR5Apy1NcE/0poOw95bI6zl
>> Iiethqvng1P9uPWjViFV5MXRShn3IVlY02bj8ECap4ZvP9YSLPh80KiTxhB8oQ7r
>> QvMJkRpDaaqP8EmjvOgb3GE+VdL4wfsl23FDpTqRA+NSVJ6cLBFdzHQlUKQqtPzl
>> FanpWhjiigyaUGk1OEprTC2UTEp03QIDAQABo4GFMIGCMCUGA1UdEQQeMByCFGFu
>> ZWVsYS1MZW5vdm8tRzUwLTcwhwR6gU9FMAsGA1UdDwQEAwIFoDAdBgNVHQ4EFgQU
>> vhBmWuJDV4RuB8P4oHZiWHdcyz0wHwYDVR0jBBgwFoAUvhBmWuJDV4RuB8P4oHZi
>> WHdcyz0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAA+IBVHeJqjrk
>> 3OqBGtxvW1HI3bFtaZKuXV/wNHzIrEbjvS2ezZTbBmzLvl0KjvWoF7m7Z6XjfYH3
>> kVL4/xqpeu2qk586ruTR8cXOXF9/IMdLnU287LvpGr5KXGmIwgjEDOxNYEnVIewO
>> uUiyY72a81VwXv7vFjFB8M5khM+60wQ/isLZJq4O0+C+xqKlXQvH28Ey6vq7WK91
>> chsY7jcmT+q/+CcgXxtc9+pjpZR35wsf/0jrNsH190w0YBzUWZIPHQx3ELg7GBQ1
>> iAlG0RkcWgrppSioekkEgC/gQbSBahWNVlaHTYNwCMjH7NyCDKa1d2+iby/b7k5G
>> L1ndgIax4Q==
>> -----END CERTIFICATE-----
>> ---
>> Server certificate
>> subject=/C=PK/ST=Punjab/L=lahore/O=platalytics/OU=platform/CN=example.com
>> issuer=/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 2368 bytes and written 663 bytes
>> ---
>> New, TLSv1/SSLv3, Cipher is AES256-SHA256
>> Server public key is 2048 bit
>> Secure Renegotiation IS supported
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>> Protocol : TLSv1.2
>> Cipher : AES256-SHA256
>> Session-ID:
>> 634C48D3BEF778B038BB1B61384727034EBF315F6BF9269D20AFD0D73BFB4825
>> Session-ID-ctx:
>> Master-Key:
>> 84FBEC8A7C82E1C403566885E229B0A93AE09E220A0C23576E48D27763B5195F96D188537740F30621A58484E8BF6E03
>> Key-Arg : None
>> PSK identity: None
>> PSK identity hint: None
>> SRP username: None
>> Start Time: 1444161895
>> Timeout : 300 (sec)
>> Verify return code: 21 (unable to verify the first certificate)
>> ---
>> DONE
>>
>>
>> On Mon, Oct 5, 2015 at 10:22 PM, Selvamohan Neethiraj <
>> sneethiraj@hortonworks.com> wrote:
>>
>>> Aneela:
>>>
>>>
>>> To verify the certificate (chain), can you run the following command and
>>> send us the output of the command ?
>>>
>>>
>>> $ openssl s_client -showcerts -connect platalytics.com:636 < /dev/null
>>>
>>>
>>>
>>> Thanks,
>>>
>>> Selva-
>>>
>>> From: Aneela Saleem <an...@platalytics.com>
>>> Reply-To: "user@ranger.incubator.apache.org" <
>>> user@ranger.incubator.apache.org>
>>> Date: Monday, October 5, 2015 at 1:16 PM
>>> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
>>>
>>>
>>> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>>>
>>> No there are no intermediate certificates. No i'm not using same trust
>>> store for performing ldapsearch. I'm using
>>> *TLS_CACERT /etc/ldap/cacert.pem* option in ldap.conf file
>>>
>>> On Mon, Oct 5, 2015 at 10:12 PM, Sailaja Polavarapu <
>>> spolavarapu@hortonworks.com> wrote:
>>>
>>>> Are there any intermediate certs? If so, are they also added in the
>>>> trust store?
>>>> And just to make sure, in the ldap configuration, are you using same
>>>> trust store for performing ldapsearch?
>>>>
>>>>
>>>> From: Aneela Saleem
>>>> Reply-To: "user@ranger.incubator.apache.org"
>>>> Date: Sunday, October 4, 2015 at 10:15 AM
>>>>
>>>> To: "user@ranger.incubator.apache.org"
>>>> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>>>>
>>>> Is there any issue with JAVA keystore?
>>>>
>>>> On Fri, Oct 2, 2015 at 9:59 AM, Aneela Saleem <an...@platalytics.com>
>>>> wrote:
>>>>
>>>>> Yes following command works fine
>>>>>
>>>>> ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H
>>>>> ldaps://platalytics.com:636 -b "dc=platalytics,dc=com" -s sub
>>>>> 'cn=aneela'
>>>>>
>>>>> On Thu, Oct 1, 2015 at 7:35 PM, Don Bosco Durai <bo...@apache.org>
>>>>> wrote:
>>>>>
>>>>>> It is surprising that it will just stop working. Are you able to do
>>>>>> ldapsearch from command line? Just to make sure there is nothing wrong on
>>>>>> the OpenLDAP side?
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Bosco
>>>>>>
>>>>>>
>>>>>> From: Aneela Saleem <an...@platalytics.com>
>>>>>> Reply-To: <us...@ranger.incubator.apache.org>
>>>>>> Date: Thursday, October 1, 2015 at 11:55 PM
>>>>>>
>>>>>> To: <us...@ranger.incubator.apache.org>
>>>>>> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>>>>>>
>>>>>> I also checked it on another machine. Same issue is there
>>>>>>
>>>>>> On Thu, Oct 1, 2015 at 10:03 PM, Aneela Saleem <
>>>>>> aneela@platalytics.com> wrote:
>>>>>>
>>>>>>> I guess no JDK changes. And i re-checked certificate infact
>>>>>>> generated a new one. Still same issue.
>>>>>>>
>>>>>>> On Thu, Oct 1, 2015 at 6:16 PM, Dilli Dorai <di...@gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Aneela,
>>>>>>>> Please check whether the certificate has expired.
>>>>>>>> Dilli
>>>>>>>>
>>>>>>>> On Wed, Sep 30, 2015 at 4:28 PM, Don Bosco Durai <bo...@apache.org>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Any other changes you can think of? JDK changes, etcs?
>>>>>>>>>
>>>>>>>>> Thanks
>>>>>>>>>
>>>>>>>>> Bosco
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> From: Aneela Saleem <an...@platalytics.com>
>>>>>>>>> Reply-To: <us...@ranger.incubator.apache.org>
>>>>>>>>> Date: Wednesday, September 30, 2015 at 9:37 PM
>>>>>>>>> To: <us...@ranger.incubator.apache.org>
>>>>>>>>> Subject: Re: Issues with usersync (LDAPS certificate not
>>>>>>>>> validated)
>>>>>>>>>
>>>>>>>>> It was working fine one month ago. But now the same issue is
>>>>>>>>> occurred.
>>>>>>>>>
>>>>>>>>> On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleem <
>>>>>>>>> aneela@platalytics.com> wrote:
>>>>>>>>>
>>>>>>>>>> Hi all,
>>>>>>>>>>
>>>>>>>>>> I followed all the following steps i.e.,
>>>>>>>>>>
>>>>>>>>>> cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts
>>>>>>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
>>>>>>>>>>
>>>>>>>>>> keytool -import -trustcacerts -alias openLdap -file cert.pem
>>>>>>>>>> -keystore /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
>>>>>>>>>> (where cert.pem has the the LDAPS cert)
>>>>>>>>>>
>>>>>>>>>> Add java option
>>>>>>>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036
>>>>>>>>>> /ranger-usersync/userSyncCAcerts
>>>>>>>>>> To
>>>>>>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh
>>>>>>>>>>
>>>>>>>>>> Where it invokes java command like the following
>>>>>>>>>>
>>>>>>>>>> nohup java -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
>>>>>>>>>> . . .
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> But i'm unable to sync LDAP contacts in Ranger due to
>>>>>>>>>> certificates validation issues. Following are the logs
>>>>>>>>>>
>>>>>>>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] -
>>>>>>>>>> Starting User Sync Service!
>>>>>>>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] -
>>>>>>>>>> Enabling Unix Auth Service!
>>>>>>>>>> 30 Sep 2015 14:48:56 INFO UserGroupSync [UnixUserSyncThread] -
>>>>>>>>>> initializing sink:
>>>>>>>>>> org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder
>>>>>>>>>> 30 Sep 2015 14:48:57 WARN NativeCodeLoader [main] - Unable to
>>>>>>>>>> load native-hadoop library for your platform... using builtin-java classes
>>>>>>>>>> where applicable
>>>>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] -
>>>>>>>>>> Enabling Protocol: [SSLv2Hello]
>>>>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] -
>>>>>>>>>> Enabling Protocol: [TLSv1]
>>>>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] -
>>>>>>>>>> Enabling Protocol: [TLSv1.1]
>>>>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] -
>>>>>>>>>> Enabling Protocol: [TLSv1.2]
>>>>>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder
>>>>>>>>>> [UnixUserSyncThread] - LdapUserGroupBuilder created
>>>>>>>>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] -
>>>>>>>>>> initializing source:
>>>>>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder
>>>>>>>>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] -
>>>>>>>>>> Begin: initial load of user/group from source==>sink
>>>>>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder
>>>>>>>>>> [UnixUserSyncThread] - LDAPUserGroupBuilder updateSink started
>>>>>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder
>>>>>>>>>> [UnixUserSyncThread] - LdapUserGroupBuilder initialization started
>>>>>>>>>> 30 Sep 2015 14:48:58 ERROR UserGroupSync [UnixUserSyncThread] -
>>>>>>>>>> Failed to initialize UserGroup source/sink. Will retry after 21600000
>>>>>>>>>> milliseconds. Error details:
>>>>>>>>>> javax.naming.CommunicationException: simple bind failed:
>>>>>>>>>> platalytics.com:636 [Root exception is
>>>>>>>>>> javax.net.ssl.SSLHandshakeException:
>>>>>>>>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>>>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>>>>>>>>>> valid certification path to requested target]
>>>>>>>>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218)
>>>>>>>>>> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
>>>>>>>>>> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
>>>>>>>>>> at
>>>>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
>>>>>>>>>> at
>>>>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
>>>>>>>>>> at
>>>>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
>>>>>>>>>> at
>>>>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
>>>>>>>>>> at
>>>>>>>>>> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
>>>>>>>>>> at
>>>>>>>>>> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
>>>>>>>>>> at javax.naming.InitialContext.init(InitialContext.java:242)
>>>>>>>>>> at
>>>>>>>>>> javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153)
>>>>>>>>>> at
>>>>>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:149)
>>>>>>>>>> at
>>>>>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:261)
>>>>>>>>>> at
>>>>>>>>>> org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
>>>>>>>>>> at java.lang.Thread.run(Thread.java:745)
>>>>>>>>>> Caused by: javax.net.ssl.SSLHandshakeException:
>>>>>>>>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>>>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>>>>>>>>>> valid certification path to requested target
>>>>>>>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>>>>>>>>>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904)
>>>>>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)
>>>>>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)
>>>>>>>>>> at
>>>>>>>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446)
>>>>>>>>>> at
>>>>>>>>>> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
>>>>>>>>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)
>>>>>>>>>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:849)
>>>>>>>>>> at
>>>>>>>>>> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
>>>>>>>>>> at
>>>>>>>>>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
>>>>>>>>>> at
>>>>>>>>>> sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709)
>>>>>>>>>> at
>>>>>>>>>> sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
>>>>>>>>>> at
>>>>>>>>>> java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
>>>>>>>>>> at
>>>>>>>>>> java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
>>>>>>>>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431)
>>>>>>>>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404)
>>>>>>>>>> at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358)
>>>>>>>>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213)
>>>>>>>>>> ... 14 more
>>>>>>>>>> Caused by: sun.security.validator.ValidatorException: PKIX path
>>>>>>>>>> building failed:
>>>>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>>>>>>>>>> valid certification path to requested target
>>>>>>>>>> at
>>>>>>>>>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
>>>>>>>>>> at
>>>>>>>>>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
>>>>>>>>>> at sun.security.validator.Validator.validate(Validator.java:260)
>>>>>>>>>> at
>>>>>>>>>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
>>>>>>>>>> at
>>>>>>>>>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
>>>>>>>>>> at
>>>>>>>>>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
>>>>>>>>>> at
>>>>>>>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428)
>>>>>>>>>> ... 27 more
>>>>>>>>>> Caused by:
>>>>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>>>>>>>>>> valid certification path to requested target
>>>>>>>>>> at
>>>>>>>>>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
>>>>>>>>>> at
>>>>>>>>>> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
>>>>>>>>>> at
>>>>>>>>>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
>>>>>>>>>> ... 33 more
>>>>>>>>>>
>>>>>>>>>> And following is the output of nohup command:
>>>>>>>>>>
>>>>>>>>>> Host key verification failed.
>>>>>>>>>>
>>>>>>>>>> Can someone please help me figure out the issue?
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
Re: Issues with usersync (LDAPS certificate not validated)
Posted by Aneela Saleem <an...@platalytics.com>.
Thanks Neethiraj,
I tried above solution but it still gives following logs
07 Oct 2015 01:50:35 INFO UnixAuthenticationService [main] - Starting User
Sync Service!
07 Oct 2015 01:50:35 INFO UnixAuthenticationService [main] - Enabling Unix
Auth Service!
07 Oct 2015 01:50:35 INFO UserGroupSync [UnixUserSyncThread] -
initializing sink:
org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder
07 Oct 2015 01:50:36 WARN NativeCodeLoader [main] - Unable to load
native-hadoop library for your platform... using builtin-java classes where
applicable
07 Oct 2015 01:50:37 INFO UnixAuthenticationService [main] - Enabling
Protocol: [SSLv2Hello]
07 Oct 2015 01:50:37 INFO UnixAuthenticationService [main] - Enabling
Protocol: [TLSv1]
07 Oct 2015 01:50:37 INFO UnixAuthenticationService [main] - Enabling
Protocol: [TLSv1.1]
07 Oct 2015 01:50:37 INFO UnixAuthenticationService [main] - Enabling
Protocol: [TLSv1.2]
07 Oct 2015 01:50:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
LdapUserGroupBuilder created
07 Oct 2015 01:50:38 INFO UserGroupSync [UnixUserSyncThread] -
initializing source:
org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder
07 Oct 2015 01:50:38 INFO UserGroupSync [UnixUserSyncThread] - Begin:
initial load of user/group from source==>sink
07 Oct 2015 01:50:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
LDAPUserGroupBuilder updateSink started
07 Oct 2015 01:50:38 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
LdapUserGroupBuilder initialization started
07 Oct 2015 01:50:39 ERROR UserGroupSync [UnixUserSyncThread] - Failed to
initialize UserGroup source/sink. Will retry after 3600000 milliseconds.
Error details:
javax.naming.CommunicationException: simple bind failed: example.com:636
[Root exception is javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
at
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
at
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
at javax.naming.InitialContext.init(InitialContext.java:242)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153)
at
org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:149)
at
org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:261)
at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446)
at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:849)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404)
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213)
... 14 more
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428)
... 27 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
... 33 more
On Wed, Oct 7, 2015 at 1:19 AM, Selvamohan Neethiraj <sn...@apache.org>
wrote:
> Thanks Aneela,
>
> This indicates to me that you are using a self-signed certificate (
> i:/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com ) for the
> ldap server.
> Is this certificate added to the Java truststore file (
> ${JAVA_HOME}/jre/lib/security/cacerts) ?
>
> If that is already done, please add the following SSL debug flag to the
> usersync process and run the usersync to see more detailed SSL error
> message (in the stdout file) …
>
> * -Djavax.net.debug=all*
>
> Please let us know if this provides more details to identify the issue …
>
> Thanks,
>
> Selva-
>
> From: Aneela Saleem <an...@platalytics.com>
> Reply-To: "user@ranger.incubator.apache.org" <
> user@ranger.incubator.apache.org>
> Date: Tuesday, October 6, 2015 at 4:06 PM
>
> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>
> Hi Neethiraj,
>
> Following is the output of above command. Sorry i have changed domain name
> to now example.com
>
>
> CONNECTED(00000003)
> depth=0 C = PK, ST = Punjab, L = lahore, O = platalytics, OU = platform,
> CN = example.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 C = PK, ST = Punjab, L = lahore, O = platalytics, OU = platform,
> CN = example.com
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 C = PK, ST = Punjab, L = lahore, O = platalytics, OU = platform,
> CN = example.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
> 0 s:/C=PK/ST=Punjab/L=lahore/O=platalytics/OU=platform/CN=example.com
> i:/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com
>
> -----BEGIN CERTIFICATE-----
> MIIDyTCCArGgAwIBAgIJALD35nndyVZ2MA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV
> BAYTAlBLMQ8wDQYDVQQIDAZQdW5qYWIxFDASBgNVBAoMC3BsYXRhbHl0aWNzMREw
> DwYDVQQLDAhwbGF0Zm9ybTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMTUxMDA2
> MTkzNzEwWhcNMTYxMDA1MTkzNzEwWjBuMQswCQYDVQQGEwJQSzEPMA0GA1UECAwG
> UHVuamFiMQ8wDQYDVQQHDAZsYWhvcmUxFDASBgNVBAoMC3BsYXRhbHl0aWNzMREw
> DwYDVQQLDAhwbGF0Zm9ybTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqG
> SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbQggCnHerlgpmKIH4SZ2IsIGl7X8GTovV
> Xtg0jcnPZa0xtMKo9EfR61HZK+Gfyv0d05WAfN7uy8vfEIWLUX8rAGJWG2j3GIUO
> EnZg3oi65SUSyVDWKvVCSR+5qjkYZ7/Uf/trOkB35MtPnMzakZzjE1Q42DUKICFj
> popIITLDzCMrtK3fcVHGEfv2AHhhAxS3psKrWOYkbjU3aYdHs8v32I0FUGt5Jg7S
> hmBH0HsSb4HUbTh1Pqk1RFcSr8kRQoT1+LHZ19w9/J3D17nyLtOh7svpxDuVXeCE
> NP25fN91PcKvrzWvMSXwWtzP4lc5cs+o1qKTBSovOyCQkTL6IOwrAgMBAAGjezB5
> MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENl
> cnRpZmljYXRlMB0GA1UdDgQWBBQrGnLQImKdyGR5Z+jN3Bb246uiUDAfBgNVHSME
> GDAWgBS+EGZa4kNXhG4Hw/igdmJYd1zLPTANBgkqhkiG9w0BAQsFAAOCAQEAy9DL
> ng/ZTXixzJYL0qPdglNE8AcD5N77noxFSNtBefFXk3ZdWa7uCndoOac6EoOoQKVt
> nVp3d/ZScEu1UmbBlNi2lIpM4V2lADTtwhU07fSm98Cjs6a1T2mEsr5vkxOX4k6K
> XN/zESQ0sn5+HuxONEcOKcvgZpttRElelZrban0BvX4StQcfG6g/EkS9R5DmmrzI
> R9yBagkp0Pj1euggt30nCOnCK19sHQIgOo7ZiY3XYwX83zdnLZv/rn94BsXOfqCH
> CE7wZRaiEznh2WuCeWQD5A9B9ADDplQYZsoqfFbIvJHaeh0Ada/HJNSPh3T98leK
> bA+MDpEjs64kRdaC2w==
> -----END CERTIFICATE-----
> 1 s:/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com
> i:/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com
> -----BEGIN CERTIFICATE-----
> MIIDwzCCAqugAwIBAgIJALD35nndyVZ1MA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV
> BAYTAlBLMQ8wDQYDVQQIDAZQdW5qYWIxFDASBgNVBAoMC3BsYXRhbHl0aWNzMREw
> DwYDVQQLDAhwbGF0Zm9ybTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMTUxMDA2
> MTkzMTEwWhcNMTgxMDA1MTkzMTEwWjBdMQswCQYDVQQGEwJQSzEPMA0GA1UECAwG
> UHVuamFiMRQwEgYDVQQKDAtwbGF0YWx5dGljczERMA8GA1UECwwIcGxhdGZvcm0x
> FDASBgNVBAMMC2V4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
> CgKCAQEA0v/DuFdb+V4fpbPYnJpAzvca6DQaPJPdiEtkTcu/t8qKoiH5W8Pj6F95
> nUhr/7oyGSnaZSZAGeYYzRfs4C/G3Fo+ZPw5Tm/5KGWLZG/SDDWMjwgOdPfvfTwb
> P6nBOdlnW3OP7fOnKmvUJtml/N5IhNn20Sn0aHFFIRR5Apy1NcE/0poOw95bI6zl
> Iiethqvng1P9uPWjViFV5MXRShn3IVlY02bj8ECap4ZvP9YSLPh80KiTxhB8oQ7r
> QvMJkRpDaaqP8EmjvOgb3GE+VdL4wfsl23FDpTqRA+NSVJ6cLBFdzHQlUKQqtPzl
> FanpWhjiigyaUGk1OEprTC2UTEp03QIDAQABo4GFMIGCMCUGA1UdEQQeMByCFGFu
> ZWVsYS1MZW5vdm8tRzUwLTcwhwR6gU9FMAsGA1UdDwQEAwIFoDAdBgNVHQ4EFgQU
> vhBmWuJDV4RuB8P4oHZiWHdcyz0wHwYDVR0jBBgwFoAUvhBmWuJDV4RuB8P4oHZi
> WHdcyz0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAA+IBVHeJqjrk
> 3OqBGtxvW1HI3bFtaZKuXV/wNHzIrEbjvS2ezZTbBmzLvl0KjvWoF7m7Z6XjfYH3
> kVL4/xqpeu2qk586ruTR8cXOXF9/IMdLnU287LvpGr5KXGmIwgjEDOxNYEnVIewO
> uUiyY72a81VwXv7vFjFB8M5khM+60wQ/isLZJq4O0+C+xqKlXQvH28Ey6vq7WK91
> chsY7jcmT+q/+CcgXxtc9+pjpZR35wsf/0jrNsH190w0YBzUWZIPHQx3ELg7GBQ1
> iAlG0RkcWgrppSioekkEgC/gQbSBahWNVlaHTYNwCMjH7NyCDKa1d2+iby/b7k5G
> L1ndgIax4Q==
> -----END CERTIFICATE-----
> ---
> Server certificate
> subject=/C=PK/ST=Punjab/L=lahore/O=platalytics/OU=platform/CN=example.com
> issuer=/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 2368 bytes and written 663 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA256
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : AES256-SHA256
> Session-ID:
> 634C48D3BEF778B038BB1B61384727034EBF315F6BF9269D20AFD0D73BFB4825
> Session-ID-ctx:
> Master-Key:
> 84FBEC8A7C82E1C403566885E229B0A93AE09E220A0C23576E48D27763B5195F96D188537740F30621A58484E8BF6E03
> Key-Arg : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> Start Time: 1444161895
> Timeout : 300 (sec)
> Verify return code: 21 (unable to verify the first certificate)
> ---
> DONE
>
>
> On Mon, Oct 5, 2015 at 10:22 PM, Selvamohan Neethiraj <
> sneethiraj@hortonworks.com> wrote:
>
>> Aneela:
>>
>>
>> To verify the certificate (chain), can you run the following command and
>> send us the output of the command ?
>>
>>
>> $ openssl s_client -showcerts -connect platalytics.com:636 < /dev/null
>>
>>
>>
>> Thanks,
>>
>> Selva-
>>
>> From: Aneela Saleem <an...@platalytics.com>
>> Reply-To: "user@ranger.incubator.apache.org" <
>> user@ranger.incubator.apache.org>
>> Date: Monday, October 5, 2015 at 1:16 PM
>> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
>>
>>
>> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>>
>> No there are no intermediate certificates. No i'm not using same trust
>> store for performing ldapsearch. I'm using
>> *TLS_CACERT /etc/ldap/cacert.pem* option in ldap.conf file
>>
>> On Mon, Oct 5, 2015 at 10:12 PM, Sailaja Polavarapu <
>> spolavarapu@hortonworks.com> wrote:
>>
>>> Are there any intermediate certs? If so, are they also added in the
>>> trust store?
>>> And just to make sure, in the ldap configuration, are you using same
>>> trust store for performing ldapsearch?
>>>
>>>
>>> From: Aneela Saleem
>>> Reply-To: "user@ranger.incubator.apache.org"
>>> Date: Sunday, October 4, 2015 at 10:15 AM
>>>
>>> To: "user@ranger.incubator.apache.org"
>>> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>>>
>>> Is there any issue with JAVA keystore?
>>>
>>> On Fri, Oct 2, 2015 at 9:59 AM, Aneela Saleem <an...@platalytics.com>
>>> wrote:
>>>
>>>> Yes following command works fine
>>>>
>>>> ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H
>>>> ldaps://platalytics.com:636 -b "dc=platalytics,dc=com" -s sub
>>>> 'cn=aneela'
>>>>
>>>> On Thu, Oct 1, 2015 at 7:35 PM, Don Bosco Durai <bo...@apache.org>
>>>> wrote:
>>>>
>>>>> It is surprising that it will just stop working. Are you able to do
>>>>> ldapsearch from command line? Just to make sure there is nothing wrong on
>>>>> the OpenLDAP side?
>>>>>
>>>>> Thanks
>>>>>
>>>>> Bosco
>>>>>
>>>>>
>>>>> From: Aneela Saleem <an...@platalytics.com>
>>>>> Reply-To: <us...@ranger.incubator.apache.org>
>>>>> Date: Thursday, October 1, 2015 at 11:55 PM
>>>>>
>>>>> To: <us...@ranger.incubator.apache.org>
>>>>> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>>>>>
>>>>> I also checked it on another machine. Same issue is there
>>>>>
>>>>> On Thu, Oct 1, 2015 at 10:03 PM, Aneela Saleem <aneela@platalytics.com
>>>>> > wrote:
>>>>>
>>>>>> I guess no JDK changes. And i re-checked certificate infact generated
>>>>>> a new one. Still same issue.
>>>>>>
>>>>>> On Thu, Oct 1, 2015 at 6:16 PM, Dilli Dorai <di...@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Aneela,
>>>>>>> Please check whether the certificate has expired.
>>>>>>> Dilli
>>>>>>>
>>>>>>> On Wed, Sep 30, 2015 at 4:28 PM, Don Bosco Durai <bo...@apache.org>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Any other changes you can think of? JDK changes, etcs?
>>>>>>>>
>>>>>>>> Thanks
>>>>>>>>
>>>>>>>> Bosco
>>>>>>>>
>>>>>>>>
>>>>>>>> From: Aneela Saleem <an...@platalytics.com>
>>>>>>>> Reply-To: <us...@ranger.incubator.apache.org>
>>>>>>>> Date: Wednesday, September 30, 2015 at 9:37 PM
>>>>>>>> To: <us...@ranger.incubator.apache.org>
>>>>>>>> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>>>>>>>>
>>>>>>>> It was working fine one month ago. But now the same issue is
>>>>>>>> occurred.
>>>>>>>>
>>>>>>>> On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleem <
>>>>>>>> aneela@platalytics.com> wrote:
>>>>>>>>
>>>>>>>>> Hi all,
>>>>>>>>>
>>>>>>>>> I followed all the following steps i.e.,
>>>>>>>>>
>>>>>>>>> cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts
>>>>>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
>>>>>>>>>
>>>>>>>>> keytool -import -trustcacerts -alias openLdap -file cert.pem
>>>>>>>>> -keystore /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
>>>>>>>>> (where cert.pem has the the LDAPS cert)
>>>>>>>>>
>>>>>>>>> Add java option
>>>>>>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036
>>>>>>>>> /ranger-usersync/userSyncCAcerts
>>>>>>>>> To
>>>>>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh
>>>>>>>>>
>>>>>>>>> Where it invokes java command like the following
>>>>>>>>>
>>>>>>>>> nohup java -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
>>>>>>>>> . . .
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> But i'm unable to sync LDAP contacts in Ranger due to certificates
>>>>>>>>> validation issues. Following are the logs
>>>>>>>>>
>>>>>>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] -
>>>>>>>>> Starting User Sync Service!
>>>>>>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] -
>>>>>>>>> Enabling Unix Auth Service!
>>>>>>>>> 30 Sep 2015 14:48:56 INFO UserGroupSync [UnixUserSyncThread] -
>>>>>>>>> initializing sink:
>>>>>>>>> org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder
>>>>>>>>> 30 Sep 2015 14:48:57 WARN NativeCodeLoader [main] - Unable to
>>>>>>>>> load native-hadoop library for your platform... using builtin-java classes
>>>>>>>>> where applicable
>>>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] -
>>>>>>>>> Enabling Protocol: [SSLv2Hello]
>>>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] -
>>>>>>>>> Enabling Protocol: [TLSv1]
>>>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] -
>>>>>>>>> Enabling Protocol: [TLSv1.1]
>>>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] -
>>>>>>>>> Enabling Protocol: [TLSv1.2]
>>>>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder
>>>>>>>>> [UnixUserSyncThread] - LdapUserGroupBuilder created
>>>>>>>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] -
>>>>>>>>> initializing source:
>>>>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder
>>>>>>>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] -
>>>>>>>>> Begin: initial load of user/group from source==>sink
>>>>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder
>>>>>>>>> [UnixUserSyncThread] - LDAPUserGroupBuilder updateSink started
>>>>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder
>>>>>>>>> [UnixUserSyncThread] - LdapUserGroupBuilder initialization started
>>>>>>>>> 30 Sep 2015 14:48:58 ERROR UserGroupSync [UnixUserSyncThread] -
>>>>>>>>> Failed to initialize UserGroup source/sink. Will retry after 21600000
>>>>>>>>> milliseconds. Error details:
>>>>>>>>> javax.naming.CommunicationException: simple bind failed:
>>>>>>>>> platalytics.com:636 [Root exception is
>>>>>>>>> javax.net.ssl.SSLHandshakeException:
>>>>>>>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>>>>>>>>> valid certification path to requested target]
>>>>>>>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218)
>>>>>>>>> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
>>>>>>>>> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
>>>>>>>>> at
>>>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
>>>>>>>>> at
>>>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
>>>>>>>>> at
>>>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
>>>>>>>>> at
>>>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
>>>>>>>>> at
>>>>>>>>> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
>>>>>>>>> at
>>>>>>>>> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
>>>>>>>>> at javax.naming.InitialContext.init(InitialContext.java:242)
>>>>>>>>> at
>>>>>>>>> javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153)
>>>>>>>>> at
>>>>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:149)
>>>>>>>>> at
>>>>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:261)
>>>>>>>>> at
>>>>>>>>> org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
>>>>>>>>> at java.lang.Thread.run(Thread.java:745)
>>>>>>>>> Caused by: javax.net.ssl.SSLHandshakeException:
>>>>>>>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>>>>>>>>> valid certification path to requested target
>>>>>>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>>>>>>>>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904)
>>>>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)
>>>>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)
>>>>>>>>> at
>>>>>>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446)
>>>>>>>>> at
>>>>>>>>> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
>>>>>>>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)
>>>>>>>>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:849)
>>>>>>>>> at
>>>>>>>>> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
>>>>>>>>> at
>>>>>>>>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
>>>>>>>>> at
>>>>>>>>> sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709)
>>>>>>>>> at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
>>>>>>>>> at
>>>>>>>>> java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
>>>>>>>>> at
>>>>>>>>> java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
>>>>>>>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431)
>>>>>>>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404)
>>>>>>>>> at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358)
>>>>>>>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213)
>>>>>>>>> ... 14 more
>>>>>>>>> Caused by: sun.security.validator.ValidatorException: PKIX path
>>>>>>>>> building failed:
>>>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>>>>>>>>> valid certification path to requested target
>>>>>>>>> at
>>>>>>>>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
>>>>>>>>> at
>>>>>>>>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
>>>>>>>>> at sun.security.validator.Validator.validate(Validator.java:260)
>>>>>>>>> at
>>>>>>>>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
>>>>>>>>> at
>>>>>>>>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
>>>>>>>>> at
>>>>>>>>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
>>>>>>>>> at
>>>>>>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428)
>>>>>>>>> ... 27 more
>>>>>>>>> Caused by:
>>>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>>>>>>>>> valid certification path to requested target
>>>>>>>>> at
>>>>>>>>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
>>>>>>>>> at
>>>>>>>>> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
>>>>>>>>> at
>>>>>>>>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
>>>>>>>>> ... 33 more
>>>>>>>>>
>>>>>>>>> And following is the output of nohup command:
>>>>>>>>>
>>>>>>>>> Host key verification failed.
>>>>>>>>>
>>>>>>>>> Can someone please help me figure out the issue?
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
Re: Issues with usersync (LDAPS certificate not validated)
Posted by Selvamohan Neethiraj <sn...@apache.org>.
Thanks Aneela,
This indicates to me that you are using a self-signed certificate (
i:/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com
<http://example.com/> ) for the ldap server.
Is this certificate added to the Java truststore file
(${JAVA_HOME}/jre/lib/security/cacerts) ?
If that is already done, please add the following SSL debug flag to the
usersync process and run the usersync to see more detailed SSL error message
(in the stdout file)
-Djavax.net.debug=all
Please let us know if this provides more details to identify the issue
Thanks,
Selva-
From: Aneela Saleem <an...@platalytics.com>
Reply-To: "user@ranger.incubator.apache.org"
<us...@ranger.incubator.apache.org>
Date: Tuesday, October 6, 2015 at 4:06 PM
To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Subject: Re: Issues with usersync (LDAPS certificate not validated)
Hi Neethiraj,
Following is the output of above command. Sorry i have changed domain name
to now example.com <http://example.com>
CONNECTED(00000003)
depth=0 C = PK, ST = Punjab, L = lahore, O = platalytics, OU = platform, CN
= example.com <http://example.com>
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = PK, ST = Punjab, L = lahore, O = platalytics, OU = platform, CN
= example.com <http://example.com>
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = PK, ST = Punjab, L = lahore, O = platalytics, OU = platform, CN
= example.com <http://example.com>
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=PK/ST=Punjab/L=lahore/O=platalytics/OU=platform/CN=example.com
<http://example.com>
i:/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com
<http://example.com>
-----BEGIN CERTIFICATE-----
MIIDyTCCArGgAwIBAgIJALD35nndyVZ2MA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV
BAYTAlBLMQ8wDQYDVQQIDAZQdW5qYWIxFDASBgNVBAoMC3BsYXRhbHl0aWNzMREw
DwYDVQQLDAhwbGF0Zm9ybTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMTUxMDA2
MTkzNzEwWhcNMTYxMDA1MTkzNzEwWjBuMQswCQYDVQQGEwJQSzEPMA0GA1UECAwG
UHVuamFiMQ8wDQYDVQQHDAZsYWhvcmUxFDASBgNVBAoMC3BsYXRhbHl0aWNzMREw
DwYDVQQLDAhwbGF0Zm9ybTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbQggCnHerlgpmKIH4SZ2IsIGl7X8GTovV
Xtg0jcnPZa0xtMKo9EfR61HZK+Gfyv0d05WAfN7uy8vfEIWLUX8rAGJWG2j3GIUO
EnZg3oi65SUSyVDWKvVCSR+5qjkYZ7/Uf/trOkB35MtPnMzakZzjE1Q42DUKICFj
popIITLDzCMrtK3fcVHGEfv2AHhhAxS3psKrWOYkbjU3aYdHs8v32I0FUGt5Jg7S
hmBH0HsSb4HUbTh1Pqk1RFcSr8kRQoT1+LHZ19w9/J3D17nyLtOh7svpxDuVXeCE
NP25fN91PcKvrzWvMSXwWtzP4lc5cs+o1qKTBSovOyCQkTL6IOwrAgMBAAGjezB5
MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENl
cnRpZmljYXRlMB0GA1UdDgQWBBQrGnLQImKdyGR5Z+jN3Bb246uiUDAfBgNVHSME
GDAWgBS+EGZa4kNXhG4Hw/igdmJYd1zLPTANBgkqhkiG9w0BAQsFAAOCAQEAy9DL
ng/ZTXixzJYL0qPdglNE8AcD5N77noxFSNtBefFXk3ZdWa7uCndoOac6EoOoQKVt
nVp3d/ZScEu1UmbBlNi2lIpM4V2lADTtwhU07fSm98Cjs6a1T2mEsr5vkxOX4k6K
XN/zESQ0sn5+HuxONEcOKcvgZpttRElelZrban0BvX4StQcfG6g/EkS9R5DmmrzI
R9yBagkp0Pj1euggt30nCOnCK19sHQIgOo7ZiY3XYwX83zdnLZv/rn94BsXOfqCH
CE7wZRaiEznh2WuCeWQD5A9B9ADDplQYZsoqfFbIvJHaeh0Ada/HJNSPh3T98leK
bA+MDpEjs64kRdaC2w==
-----END CERTIFICATE-----
1 s:/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com
<http://example.com>
i:/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com
<http://example.com>
-----BEGIN CERTIFICATE-----
MIIDwzCCAqugAwIBAgIJALD35nndyVZ1MA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV
BAYTAlBLMQ8wDQYDVQQIDAZQdW5qYWIxFDASBgNVBAoMC3BsYXRhbHl0aWNzMREw
DwYDVQQLDAhwbGF0Zm9ybTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMTUxMDA2
MTkzMTEwWhcNMTgxMDA1MTkzMTEwWjBdMQswCQYDVQQGEwJQSzEPMA0GA1UECAwG
UHVuamFiMRQwEgYDVQQKDAtwbGF0YWx5dGljczERMA8GA1UECwwIcGxhdGZvcm0x
FDASBgNVBAMMC2V4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA0v/DuFdb+V4fpbPYnJpAzvca6DQaPJPdiEtkTcu/t8qKoiH5W8Pj6F95
nUhr/7oyGSnaZSZAGeYYzRfs4C/G3Fo+ZPw5Tm/5KGWLZG/SDDWMjwgOdPfvfTwb
P6nBOdlnW3OP7fOnKmvUJtml/N5IhNn20Sn0aHFFIRR5Apy1NcE/0poOw95bI6zl
Iiethqvng1P9uPWjViFV5MXRShn3IVlY02bj8ECap4ZvP9YSLPh80KiTxhB8oQ7r
QvMJkRpDaaqP8EmjvOgb3GE+VdL4wfsl23FDpTqRA+NSVJ6cLBFdzHQlUKQqtPzl
FanpWhjiigyaUGk1OEprTC2UTEp03QIDAQABo4GFMIGCMCUGA1UdEQQeMByCFGFu
ZWVsYS1MZW5vdm8tRzUwLTcwhwR6gU9FMAsGA1UdDwQEAwIFoDAdBgNVHQ4EFgQU
vhBmWuJDV4RuB8P4oHZiWHdcyz0wHwYDVR0jBBgwFoAUvhBmWuJDV4RuB8P4oHZi
WHdcyz0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAA+IBVHeJqjrk
3OqBGtxvW1HI3bFtaZKuXV/wNHzIrEbjvS2ezZTbBmzLvl0KjvWoF7m7Z6XjfYH3
kVL4/xqpeu2qk586ruTR8cXOXF9/IMdLnU287LvpGr5KXGmIwgjEDOxNYEnVIewO
uUiyY72a81VwXv7vFjFB8M5khM+60wQ/isLZJq4O0+C+xqKlXQvH28Ey6vq7WK91
chsY7jcmT+q/+CcgXxtc9+pjpZR35wsf/0jrNsH190w0YBzUWZIPHQx3ELg7GBQ1
iAlG0RkcWgrppSioekkEgC/gQbSBahWNVlaHTYNwCMjH7NyCDKa1d2+iby/b7k5G
L1ndgIax4Q==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=PK/ST=Punjab/L=lahore/O=platalytics/OU=platform/CN=example.com
<http://example.com>
issuer=/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com
<http://example.com>
---
No client certificate CA names sent
---
SSL handshake has read 2368 bytes and written 663 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-SHA256
Session-ID:
634C48D3BEF778B038BB1B61384727034EBF315F6BF9269D20AFD0D73BFB4825
Session-ID-ctx:
Master-Key:
84FBEC8A7C82E1C403566885E229B0A93AE09E220A0C23576E48D27763B5195F96D188537740
F30621A58484E8BF6E03
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1444161895
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
DONE
On Mon, Oct 5, 2015 at 10:22 PM, Selvamohan Neethiraj
<sn...@hortonworks.com> wrote:
> Aneela:
>
>
>
> To verify the certificate (chain), can you run the following command and send
> us the output of the command ?
>
>
>
> $ openssl s_client -showcerts -connect platalytics.com:636
> <http://platalytics.com:636> < /dev/null
>
>
>
>
>
> Thanks,
>
> Selva-
>
>
> From: Aneela Saleem <an...@platalytics.com>
> Reply-To: "user@ranger.incubator.apache.org"
> <us...@ranger.incubator.apache.org>
> Date: Monday, October 5, 2015 at 1:16 PM
> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
>
> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>
> No there are no intermediate certificates. No i'm not using same trust store
> for performing ldapsearch. I'm using
> TLS_CACERT /etc/ldap/cacert.pem option in ldap.conf file
>
> On Mon, Oct 5, 2015 at 10:12 PM, Sailaja Polavarapu
> <sp...@hortonworks.com> wrote:
>> Are there any intermediate certs? If so, are they also added in the trust
>> store?
>> And just to make sure, in the ldap configuration, are you using same trust
>> store for performing ldapsearch?
>>
>>
>> From: Aneela Saleem
>> Reply-To: "user@ranger.incubator.apache.org"
>> Date: Sunday, October 4, 2015 at 10:15 AM
>>
>> To: "user@ranger.incubator.apache.org"
>> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>>
>> Is there any issue with JAVA keystore?
>>
>> On Fri, Oct 2, 2015 at 9:59 AM, Aneela Saleem <an...@platalytics.com> wrote:
>>> Yes following command works fine
>>>
>>> ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H
>>> ldaps://platalytics.com:636 <http://platalytics.com:636> -b
>>> "dc=platalytics,dc=com" -s sub 'cn=aneela'
>>>
>>> On Thu, Oct 1, 2015 at 7:35 PM, Don Bosco Durai <bo...@apache.org> wrote:
>>>> It is surprising that it will just stop working. Are you able to do
>>>> ldapsearch from command line? Just to make sure there is nothing wrong on
>>>> the OpenLDAP side?
>>>>
>>>> Thanks
>>>>
>>>> Bosco
>>>>
>>>>
>>>> From: Aneela Saleem <an...@platalytics.com>
>>>> Reply-To: <us...@ranger.incubator.apache.org>
>>>> Date: Thursday, October 1, 2015 at 11:55 PM
>>>>
>>>> To: <us...@ranger.incubator.apache.org>
>>>> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>>>>
>>>>> I also checked it on another machine. Same issue is there
>>>>>
>>>>> On Thu, Oct 1, 2015 at 10:03 PM, Aneela Saleem <an...@platalytics.com>
>>>>> wrote:
>>>>>> I guess no JDK changes. And i re-checked certificate infact generated a
>>>>>> new one. Still same issue.
>>>>>>
>>>>>> On Thu, Oct 1, 2015 at 6:16 PM, Dilli Dorai <di...@gmail.com>
>>>>>> wrote:
>>>>>>> Aneela,
>>>>>>> Please check whether the certificate has expired.
>>>>>>> Dilli
>>>>>>>
>>>>>>> On Wed, Sep 30, 2015 at 4:28 PM, Don Bosco Durai <bo...@apache.org>
>>>>>>> wrote:
>>>>>>> Any other changes you can think of? JDK changes, etcs?
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>> Bosco
>>>>>>>
>>>>>>>
>>>>>>> From: Aneela Saleem <an...@platalytics.com>
>>>>>>> Reply-To: <us...@ranger.incubator.apache.org>
>>>>>>> Date: Wednesday, September 30, 2015 at 9:37 PM
>>>>>>> To: <us...@ranger.incubator.apache.org>
>>>>>>> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>>>>>>>
>>>>>>> It was working fine one month ago. But now the same issue is occurred.
>>>>>>>
>>>>>>> On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleem <an...@platalytics.com>
>>>>>>> wrote:
>>>>>>> Hi all,
>>>>>>>
>>>>>>> I followed all the following steps i.e.,
>>>>>>>
>>>>>>> cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts
>>>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
>>>>>>>
>>>>>>> keytool -import -trustcacerts -alias openLdap -file cert.pem -keystore
>>>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
>>>>>>> (where cert.pem has the the LDAPS cert)
>>>>>>>
>>>>>>> Add java option
>>>>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyn
>>>>>>> cCAcerts
>>>>>>> To
>>>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh
>>>>>>>
>>>>>>> Where it invokes java command like the following
>>>>>>>
>>>>>>> nohup java
>>>>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyn
>>>>>>> cCAcerts . . .
>>>>>>>
>>>>>>>
>>>>>>> But i'm unable to sync LDAP contacts in Ranger due to certificates
>>>>>>> validation issues. Following are the logs
>>>>>>>
>>>>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Starting
>>>>>>> User Sync Service!
>>>>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Enabling
>>>>>>> Unix Auth Service!
>>>>>>> 30 Sep 2015 14:48:56 INFO UserGroupSync [UnixUserSyncThread] -
>>>>>>> initializing sink:
>>>>>>> org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder
>>>>>>> 30 Sep 2015 14:48:57 WARN NativeCodeLoader [main] - Unable to load
>>>>>>> native-hadoop library for your platform... using builtin-java classes
>>>>>>> where applicable
>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
>>>>>>> Protocol: [SSLv2Hello]
>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
>>>>>>> Protocol: [TLSv1]
>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
>>>>>>> Protocol: [TLSv1.1]
>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
>>>>>>> Protocol: [TLSv1.2]
>>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
>>>>>>> LdapUserGroupBuilder created
>>>>>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] -
>>>>>>> initializing source:
>>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder
>>>>>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - Begin:
>>>>>>> initial load of user/group from source==>sink
>>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
>>>>>>> LDAPUserGroupBuilder updateSink started
>>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
>>>>>>> LdapUserGroupBuilder initialization started
>>>>>>> 30 Sep 2015 14:48:58 ERROR UserGroupSync [UnixUserSyncThread] - Failed
>>>>>>> to initialize UserGroup source/sink. Will retry after 21600000
>>>>>>> milliseconds. Error details:
>>>>>>> javax.naming.CommunicationException: simple bind failed:
>>>>>>> platalytics.com:636 <http://platalytics.com:636> [Root exception is
>>>>>>> javax.net.ssl.SSLHandshakeException:
>>>>>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>>>>>> find valid certification path to requested target]
>>>>>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218)
>>>>>>> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
>>>>>>> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
>>>>>>> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
>>>>>>> at
>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
>>>>>>> at
>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:
>>>>>>> 154)
>>>>>>> at
>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:8
>>>>>>> 4)
>>>>>>> at
>>>>>>> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
>>>>>>> at
>>>>>>> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
>>>>>>> at javax.naming.InitialContext.init(InitialContext.java:242)
>>>>>>> at
>>>>>>> javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153)
>>>>>>> at
>>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapCo
>>>>>>> ntext(LdapUserGroupBuilder.java:149)
>>>>>>> at
>>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(L
>>>>>>> dapUserGroupBuilder.java:261)
>>>>>>> at
>>>>>>> org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
>>>>>>> at java.lang.Thread.run(Thread.java:745)
>>>>>>> Caused by: javax.net.ssl.SSLHandshakeException:
>>>>>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>>>>>> find valid certification path to requested target
>>>>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>>>>>>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904)
>>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)
>>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)
>>>>>>> at
>>>>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.jav
>>>>>>> a:1446)
>>>>>>> at
>>>>>>> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:2
>>>>>>> 09)
>>>>>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)
>>>>>>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:849)
>>>>>>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
>>>>>>> at
>>>>>>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.jav
>>>>>>> a:1332)
>>>>>>> at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709)
>>>>>>> at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
>>>>>>> at
>>>>>>> java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
>>>>>>> at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
>>>>>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431)
>>>>>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404)
>>>>>>> at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358)
>>>>>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213)
>>>>>>> ... 14 more
>>>>>>> Caused by: sun.security.validator.ValidatorException: PKIX path building
>>>>>>> failed: sun.security.provider.certpath.SunCertPathBuilderException:
>>>>>>> unable to find valid certification path to requested target
>>>>>>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
>>>>>>> at
>>>>>>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:2
>>>>>>> 92)
>>>>>>> at sun.security.validator.Validator.validate(Validator.java:260)
>>>>>>> at
>>>>>>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java
>>>>>>> :326)
>>>>>>> at
>>>>>>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.
>>>>>>> java:231)
>>>>>>> at
>>>>>>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManage
>>>>>>> rImpl.java:126)
>>>>>>> at
>>>>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.jav
>>>>>>> a:1428)
>>>>>>> ... 27 more
>>>>>>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
>>>>>>> unable to find valid certification path to requested target
>>>>>>> at
>>>>>>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPat
>>>>>>> hBuilder.java:196)
>>>>>>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
>>>>>>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
>>>>>>> ... 33 more
>>>>>>>
>>>>>>> And following is the output of nohup command:
>>>>>>>
>>>>>>> Host key verification failed.
>>>>>>>
>>>>>>> Can someone please help me figure out the issue?
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>
>>
>
Re: Issues with usersync (LDAPS certificate not validated)
Posted by Aneela Saleem <an...@platalytics.com>.
Hi Neethiraj,
Following is the output of above command. Sorry i have changed domain name
to now example.com
CONNECTED(00000003)
depth=0 C = PK, ST = Punjab, L = lahore, O = platalytics, OU = platform, CN
= example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = PK, ST = Punjab, L = lahore, O = platalytics, OU = platform, CN
= example.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = PK, ST = Punjab, L = lahore, O = platalytics, OU = platform, CN
= example.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=PK/ST=Punjab/L=lahore/O=platalytics/OU=platform/CN=example.com
i:/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com
-----BEGIN CERTIFICATE-----
MIIDyTCCArGgAwIBAgIJALD35nndyVZ2MA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV
BAYTAlBLMQ8wDQYDVQQIDAZQdW5qYWIxFDASBgNVBAoMC3BsYXRhbHl0aWNzMREw
DwYDVQQLDAhwbGF0Zm9ybTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMTUxMDA2
MTkzNzEwWhcNMTYxMDA1MTkzNzEwWjBuMQswCQYDVQQGEwJQSzEPMA0GA1UECAwG
UHVuamFiMQ8wDQYDVQQHDAZsYWhvcmUxFDASBgNVBAoMC3BsYXRhbHl0aWNzMREw
DwYDVQQLDAhwbGF0Zm9ybTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbQggCnHerlgpmKIH4SZ2IsIGl7X8GTovV
Xtg0jcnPZa0xtMKo9EfR61HZK+Gfyv0d05WAfN7uy8vfEIWLUX8rAGJWG2j3GIUO
EnZg3oi65SUSyVDWKvVCSR+5qjkYZ7/Uf/trOkB35MtPnMzakZzjE1Q42DUKICFj
popIITLDzCMrtK3fcVHGEfv2AHhhAxS3psKrWOYkbjU3aYdHs8v32I0FUGt5Jg7S
hmBH0HsSb4HUbTh1Pqk1RFcSr8kRQoT1+LHZ19w9/J3D17nyLtOh7svpxDuVXeCE
NP25fN91PcKvrzWvMSXwWtzP4lc5cs+o1qKTBSovOyCQkTL6IOwrAgMBAAGjezB5
MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENl
cnRpZmljYXRlMB0GA1UdDgQWBBQrGnLQImKdyGR5Z+jN3Bb246uiUDAfBgNVHSME
GDAWgBS+EGZa4kNXhG4Hw/igdmJYd1zLPTANBgkqhkiG9w0BAQsFAAOCAQEAy9DL
ng/ZTXixzJYL0qPdglNE8AcD5N77noxFSNtBefFXk3ZdWa7uCndoOac6EoOoQKVt
nVp3d/ZScEu1UmbBlNi2lIpM4V2lADTtwhU07fSm98Cjs6a1T2mEsr5vkxOX4k6K
XN/zESQ0sn5+HuxONEcOKcvgZpttRElelZrban0BvX4StQcfG6g/EkS9R5DmmrzI
R9yBagkp0Pj1euggt30nCOnCK19sHQIgOo7ZiY3XYwX83zdnLZv/rn94BsXOfqCH
CE7wZRaiEznh2WuCeWQD5A9B9ADDplQYZsoqfFbIvJHaeh0Ada/HJNSPh3T98leK
bA+MDpEjs64kRdaC2w==
-----END CERTIFICATE-----
1 s:/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com
i:/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com
-----BEGIN CERTIFICATE-----
MIIDwzCCAqugAwIBAgIJALD35nndyVZ1MA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV
BAYTAlBLMQ8wDQYDVQQIDAZQdW5qYWIxFDASBgNVBAoMC3BsYXRhbHl0aWNzMREw
DwYDVQQLDAhwbGF0Zm9ybTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMTUxMDA2
MTkzMTEwWhcNMTgxMDA1MTkzMTEwWjBdMQswCQYDVQQGEwJQSzEPMA0GA1UECAwG
UHVuamFiMRQwEgYDVQQKDAtwbGF0YWx5dGljczERMA8GA1UECwwIcGxhdGZvcm0x
FDASBgNVBAMMC2V4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA0v/DuFdb+V4fpbPYnJpAzvca6DQaPJPdiEtkTcu/t8qKoiH5W8Pj6F95
nUhr/7oyGSnaZSZAGeYYzRfs4C/G3Fo+ZPw5Tm/5KGWLZG/SDDWMjwgOdPfvfTwb
P6nBOdlnW3OP7fOnKmvUJtml/N5IhNn20Sn0aHFFIRR5Apy1NcE/0poOw95bI6zl
Iiethqvng1P9uPWjViFV5MXRShn3IVlY02bj8ECap4ZvP9YSLPh80KiTxhB8oQ7r
QvMJkRpDaaqP8EmjvOgb3GE+VdL4wfsl23FDpTqRA+NSVJ6cLBFdzHQlUKQqtPzl
FanpWhjiigyaUGk1OEprTC2UTEp03QIDAQABo4GFMIGCMCUGA1UdEQQeMByCFGFu
ZWVsYS1MZW5vdm8tRzUwLTcwhwR6gU9FMAsGA1UdDwQEAwIFoDAdBgNVHQ4EFgQU
vhBmWuJDV4RuB8P4oHZiWHdcyz0wHwYDVR0jBBgwFoAUvhBmWuJDV4RuB8P4oHZi
WHdcyz0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAA+IBVHeJqjrk
3OqBGtxvW1HI3bFtaZKuXV/wNHzIrEbjvS2ezZTbBmzLvl0KjvWoF7m7Z6XjfYH3
kVL4/xqpeu2qk586ruTR8cXOXF9/IMdLnU287LvpGr5KXGmIwgjEDOxNYEnVIewO
uUiyY72a81VwXv7vFjFB8M5khM+60wQ/isLZJq4O0+C+xqKlXQvH28Ey6vq7WK91
chsY7jcmT+q/+CcgXxtc9+pjpZR35wsf/0jrNsH190w0YBzUWZIPHQx3ELg7GBQ1
iAlG0RkcWgrppSioekkEgC/gQbSBahWNVlaHTYNwCMjH7NyCDKa1d2+iby/b7k5G
L1ndgIax4Q==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=PK/ST=Punjab/L=lahore/O=platalytics/OU=platform/CN=example.com
issuer=/C=PK/ST=Punjab/O=platalytics/OU=platform/CN=example.com
---
No client certificate CA names sent
---
SSL handshake has read 2368 bytes and written 663 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-SHA256
Session-ID:
634C48D3BEF778B038BB1B61384727034EBF315F6BF9269D20AFD0D73BFB4825
Session-ID-ctx:
Master-Key:
84FBEC8A7C82E1C403566885E229B0A93AE09E220A0C23576E48D27763B5195F96D188537740F30621A58484E8BF6E03
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1444161895
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
DONE
On Mon, Oct 5, 2015 at 10:22 PM, Selvamohan Neethiraj <
sneethiraj@hortonworks.com> wrote:
> Aneela:
>
>
> To verify the certificate (chain), can you run the following command and
> send us the output of the command ?
>
>
> $ openssl s_client -showcerts -connect platalytics.com:636 < /dev/null
>
>
>
> Thanks,
>
> Selva-
>
> From: Aneela Saleem <an...@platalytics.com>
> Reply-To: "user@ranger.incubator.apache.org" <
> user@ranger.incubator.apache.org>
> Date: Monday, October 5, 2015 at 1:16 PM
> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
>
> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>
> No there are no intermediate certificates. No i'm not using same trust
> store for performing ldapsearch. I'm using
> *TLS_CACERT /etc/ldap/cacert.pem* option in ldap.conf file
>
> On Mon, Oct 5, 2015 at 10:12 PM, Sailaja Polavarapu <
> spolavarapu@hortonworks.com> wrote:
>
>> Are there any intermediate certs? If so, are they also added in the trust
>> store?
>> And just to make sure, in the ldap configuration, are you using same
>> trust store for performing ldapsearch?
>>
>>
>> From: Aneela Saleem
>> Reply-To: "user@ranger.incubator.apache.org"
>> Date: Sunday, October 4, 2015 at 10:15 AM
>>
>> To: "user@ranger.incubator.apache.org"
>> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>>
>> Is there any issue with JAVA keystore?
>>
>> On Fri, Oct 2, 2015 at 9:59 AM, Aneela Saleem <an...@platalytics.com>
>> wrote:
>>
>>> Yes following command works fine
>>>
>>> ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H
>>> ldaps://platalytics.com:636 -b "dc=platalytics,dc=com" -s sub
>>> 'cn=aneela'
>>>
>>> On Thu, Oct 1, 2015 at 7:35 PM, Don Bosco Durai <bo...@apache.org>
>>> wrote:
>>>
>>>> It is surprising that it will just stop working. Are you able to do
>>>> ldapsearch from command line? Just to make sure there is nothing wrong on
>>>> the OpenLDAP side?
>>>>
>>>> Thanks
>>>>
>>>> Bosco
>>>>
>>>>
>>>> From: Aneela Saleem <an...@platalytics.com>
>>>> Reply-To: <us...@ranger.incubator.apache.org>
>>>> Date: Thursday, October 1, 2015 at 11:55 PM
>>>>
>>>> To: <us...@ranger.incubator.apache.org>
>>>> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>>>>
>>>> I also checked it on another machine. Same issue is there
>>>>
>>>> On Thu, Oct 1, 2015 at 10:03 PM, Aneela Saleem <an...@platalytics.com>
>>>> wrote:
>>>>
>>>>> I guess no JDK changes. And i re-checked certificate infact generated
>>>>> a new one. Still same issue.
>>>>>
>>>>> On Thu, Oct 1, 2015 at 6:16 PM, Dilli Dorai <di...@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Aneela,
>>>>>> Please check whether the certificate has expired.
>>>>>> Dilli
>>>>>>
>>>>>> On Wed, Sep 30, 2015 at 4:28 PM, Don Bosco Durai <bo...@apache.org>
>>>>>> wrote:
>>>>>>
>>>>>>> Any other changes you can think of? JDK changes, etcs?
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>> Bosco
>>>>>>>
>>>>>>>
>>>>>>> From: Aneela Saleem <an...@platalytics.com>
>>>>>>> Reply-To: <us...@ranger.incubator.apache.org>
>>>>>>> Date: Wednesday, September 30, 2015 at 9:37 PM
>>>>>>> To: <us...@ranger.incubator.apache.org>
>>>>>>> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>>>>>>>
>>>>>>> It was working fine one month ago. But now the same issue is
>>>>>>> occurred.
>>>>>>>
>>>>>>> On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleem <
>>>>>>> aneela@platalytics.com> wrote:
>>>>>>>
>>>>>>>> Hi all,
>>>>>>>>
>>>>>>>> I followed all the following steps i.e.,
>>>>>>>>
>>>>>>>> cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts
>>>>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
>>>>>>>>
>>>>>>>> keytool -import -trustcacerts -alias openLdap -file cert.pem
>>>>>>>> -keystore /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
>>>>>>>> (where cert.pem has the the LDAPS cert)
>>>>>>>>
>>>>>>>> Add java option
>>>>>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036
>>>>>>>> /ranger-usersync/userSyncCAcerts
>>>>>>>> To
>>>>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh
>>>>>>>>
>>>>>>>> Where it invokes java command like the following
>>>>>>>>
>>>>>>>> nohup java -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
>>>>>>>> . . .
>>>>>>>>
>>>>>>>>
>>>>>>>> But i'm unable to sync LDAP contacts in Ranger due to certificates
>>>>>>>> validation issues. Following are the logs
>>>>>>>>
>>>>>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] -
>>>>>>>> Starting User Sync Service!
>>>>>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] -
>>>>>>>> Enabling Unix Auth Service!
>>>>>>>> 30 Sep 2015 14:48:56 INFO UserGroupSync [UnixUserSyncThread] -
>>>>>>>> initializing sink:
>>>>>>>> org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder
>>>>>>>> 30 Sep 2015 14:48:57 WARN NativeCodeLoader [main] - Unable to load
>>>>>>>> native-hadoop library for your platform... using builtin-java classes where
>>>>>>>> applicable
>>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] -
>>>>>>>> Enabling Protocol: [SSLv2Hello]
>>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] -
>>>>>>>> Enabling Protocol: [TLSv1]
>>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] -
>>>>>>>> Enabling Protocol: [TLSv1.1]
>>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] -
>>>>>>>> Enabling Protocol: [TLSv1.2]
>>>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder
>>>>>>>> [UnixUserSyncThread] - LdapUserGroupBuilder created
>>>>>>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] -
>>>>>>>> initializing source:
>>>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder
>>>>>>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] -
>>>>>>>> Begin: initial load of user/group from source==>sink
>>>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder
>>>>>>>> [UnixUserSyncThread] - LDAPUserGroupBuilder updateSink started
>>>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder
>>>>>>>> [UnixUserSyncThread] - LdapUserGroupBuilder initialization started
>>>>>>>> 30 Sep 2015 14:48:58 ERROR UserGroupSync [UnixUserSyncThread] -
>>>>>>>> Failed to initialize UserGroup source/sink. Will retry after 21600000
>>>>>>>> milliseconds. Error details:
>>>>>>>> javax.naming.CommunicationException: simple bind failed:
>>>>>>>> platalytics.com:636 [Root exception is
>>>>>>>> javax.net.ssl.SSLHandshakeException:
>>>>>>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>>>>>>>> valid certification path to requested target]
>>>>>>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218)
>>>>>>>> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
>>>>>>>> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
>>>>>>>> at
>>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
>>>>>>>> at
>>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
>>>>>>>> at
>>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
>>>>>>>> at
>>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
>>>>>>>> at
>>>>>>>> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
>>>>>>>> at
>>>>>>>> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
>>>>>>>> at javax.naming.InitialContext.init(InitialContext.java:242)
>>>>>>>> at
>>>>>>>> javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153)
>>>>>>>> at
>>>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:149)
>>>>>>>> at
>>>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:261)
>>>>>>>> at
>>>>>>>> org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
>>>>>>>> at java.lang.Thread.run(Thread.java:745)
>>>>>>>> Caused by: javax.net.ssl.SSLHandshakeException:
>>>>>>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>>>>>>>> valid certification path to requested target
>>>>>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>>>>>>>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904)
>>>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)
>>>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)
>>>>>>>> at
>>>>>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446)
>>>>>>>> at
>>>>>>>> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
>>>>>>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)
>>>>>>>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:849)
>>>>>>>> at
>>>>>>>> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
>>>>>>>> at
>>>>>>>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
>>>>>>>> at
>>>>>>>> sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709)
>>>>>>>> at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
>>>>>>>> at
>>>>>>>> java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
>>>>>>>> at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
>>>>>>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431)
>>>>>>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404)
>>>>>>>> at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358)
>>>>>>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213)
>>>>>>>> ... 14 more
>>>>>>>> Caused by: sun.security.validator.ValidatorException: PKIX path
>>>>>>>> building failed:
>>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>>>>>>>> valid certification path to requested target
>>>>>>>> at
>>>>>>>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
>>>>>>>> at
>>>>>>>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
>>>>>>>> at sun.security.validator.Validator.validate(Validator.java:260)
>>>>>>>> at
>>>>>>>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
>>>>>>>> at
>>>>>>>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
>>>>>>>> at
>>>>>>>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
>>>>>>>> at
>>>>>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428)
>>>>>>>> ... 27 more
>>>>>>>> Caused by:
>>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>>>>>>>> valid certification path to requested target
>>>>>>>> at
>>>>>>>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
>>>>>>>> at
>>>>>>>> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
>>>>>>>> at
>>>>>>>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
>>>>>>>> ... 33 more
>>>>>>>>
>>>>>>>> And following is the output of nohup command:
>>>>>>>>
>>>>>>>> Host key verification failed.
>>>>>>>>
>>>>>>>> Can someone please help me figure out the issue?
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
Re: Issues with usersync (LDAPS certificate not validated)
Posted by Selvamohan Neethiraj <sn...@hortonworks.com>.
Aneela:
To verify the certificate (chain), can you run the following command and send us the output of the command ?
$ openssl s_client -showcerts -connect platalytics.com:636<http://platalytics.com:636> < /dev/null
Thanks,
Selva-
From: Aneela Saleem <an...@platalytics.com>>
Reply-To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Date: Monday, October 5, 2015 at 1:16 PM
To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Subject: Re: Issues with usersync (LDAPS certificate not validated)
No there are no intermediate certificates. No i'm not using same trust store for performing ldapsearch. I'm using
TLS_CACERT /etc/ldap/cacert.pem option in ldap.conf file
On Mon, Oct 5, 2015 at 10:12 PM, Sailaja Polavarapu <sp...@hortonworks.com>> wrote:
Are there any intermediate certs? If so, are they also added in the trust store?
And just to make sure, in the ldap configuration, are you using same trust store for performing ldapsearch?
From: Aneela Saleem
Reply-To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>"
Date: Sunday, October 4, 2015 at 10:15 AM
To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>"
Subject: Re: Issues with usersync (LDAPS certificate not validated)
Is there any issue with JAVA keystore?
On Fri, Oct 2, 2015 at 9:59 AM, Aneela Saleem <an...@platalytics.com>> wrote:
Yes following command works fine
ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldaps://platalytics.com:636<http://platalytics.com:636> -b "dc=platalytics,dc=com" -s sub 'cn=aneela'
On Thu, Oct 1, 2015 at 7:35 PM, Don Bosco Durai <bo...@apache.org>> wrote:
It is surprising that it will just stop working. Are you able to do ldapsearch from command line? Just to make sure there is nothing wrong on the OpenLDAP side?
Thanks
Bosco
From: Aneela Saleem <an...@platalytics.com>>
Reply-To: <us...@ranger.incubator.apache.org>>
Date: Thursday, October 1, 2015 at 11:55 PM
To: <us...@ranger.incubator.apache.org>>
Subject: Re: Issues with usersync (LDAPS certificate not validated)
I also checked it on another machine. Same issue is there
On Thu, Oct 1, 2015 at 10:03 PM, Aneela Saleem <an...@platalytics.com>> wrote:
I guess no JDK changes. And i re-checked certificate infact generated a new one. Still same issue.
On Thu, Oct 1, 2015 at 6:16 PM, Dilli Dorai <di...@gmail.com>> wrote:
Aneela,
Please check whether the certificate has expired.
Dilli
On Wed, Sep 30, 2015 at 4:28 PM, Don Bosco Durai <bo...@apache.org>> wrote:
Any other changes you can think of? JDK changes, etcs?
Thanks
Bosco
From: Aneela Saleem <an...@platalytics.com>>
Reply-To: <us...@ranger.incubator.apache.org>>
Date: Wednesday, September 30, 2015 at 9:37 PM
To: <us...@ranger.incubator.apache.org>>
Subject: Re: Issues with usersync (LDAPS certificate not validated)
It was working fine one month ago. But now the same issue is occurred.
On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleem <an...@platalytics.com>> wrote:
Hi all,
I followed all the following steps i.e.,
cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
keytool -import -trustcacerts -alias openLdap -file cert.pem -keystore /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
(where cert.pem has the the LDAPS cert)
Add java option
-Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
To
/usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh
Where it invokes java command like the following
nohup java -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts . . .
But i'm unable to sync LDAP contacts in Ranger due to certificates validation issues. Following are the logs
30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Starting User Sync Service!
30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Enabling Unix Auth Service!
30 Sep 2015 14:48:56 INFO UserGroupSync [UnixUserSyncThread] - initializing sink: org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder
30 Sep 2015 14:48:57 WARN NativeCodeLoader [main] - Unable to load native-hadoop library for your platform... using builtin-java classes where applicable
30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling Protocol: [SSLv2Hello]
30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1]
30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1.1]
30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1.2]
30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder created
30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - initializing source: org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder
30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - Begin: initial load of user/group from source==>sink
30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LDAPUserGroupBuilder updateSink started
30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder initialization started
30 Sep 2015 14:48:58 ERROR UserGroupSync [UnixUserSyncThread] - Failed to initialize UserGroup source/sink. Will retry after 21600000 milliseconds. Error details:
javax.naming.CommunicationException: simple bind failed: platalytics.com:636<http://platalytics.com:636> [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
at javax.naming.InitialContext.init(InitialContext.java:242)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153)
at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:149)
at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:261)
at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:849)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404)
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213)
... 14 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428)
... 27 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
... 33 more
And following is the output of nohup command:
Host key verification failed.
Can someone please help me figure out the issue?
Re: Issues with usersync (LDAPS certificate not validated)
Posted by Aneela Saleem <an...@platalytics.com>.
No there are no intermediate certificates. No i'm not using same trust
store for performing ldapsearch. I'm using
*TLS_CACERT /etc/ldap/cacert.pem* option in ldap.conf file
On Mon, Oct 5, 2015 at 10:12 PM, Sailaja Polavarapu <
spolavarapu@hortonworks.com> wrote:
> Are there any intermediate certs? If so, are they also added in the trust
> store?
> And just to make sure, in the ldap configuration, are you using same trust
> store for performing ldapsearch?
>
>
> From: Aneela Saleem
> Reply-To: "user@ranger.incubator.apache.org"
> Date: Sunday, October 4, 2015 at 10:15 AM
>
> To: "user@ranger.incubator.apache.org"
> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>
> Is there any issue with JAVA keystore?
>
> On Fri, Oct 2, 2015 at 9:59 AM, Aneela Saleem <an...@platalytics.com>
> wrote:
>
>> Yes following command works fine
>>
>> ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldaps://
>> platalytics.com:636 -b "dc=platalytics,dc=com" -s sub 'cn=aneela'
>>
>> On Thu, Oct 1, 2015 at 7:35 PM, Don Bosco Durai <bo...@apache.org> wrote:
>>
>>> It is surprising that it will just stop working. Are you able to do
>>> ldapsearch from command line? Just to make sure there is nothing wrong on
>>> the OpenLDAP side?
>>>
>>> Thanks
>>>
>>> Bosco
>>>
>>>
>>> From: Aneela Saleem <an...@platalytics.com>
>>> Reply-To: <us...@ranger.incubator.apache.org>
>>> Date: Thursday, October 1, 2015 at 11:55 PM
>>>
>>> To: <us...@ranger.incubator.apache.org>
>>> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>>>
>>> I also checked it on another machine. Same issue is there
>>>
>>> On Thu, Oct 1, 2015 at 10:03 PM, Aneela Saleem <an...@platalytics.com>
>>> wrote:
>>>
>>>> I guess no JDK changes. And i re-checked certificate infact generated a
>>>> new one. Still same issue.
>>>>
>>>> On Thu, Oct 1, 2015 at 6:16 PM, Dilli Dorai <di...@gmail.com>
>>>> wrote:
>>>>
>>>>> Aneela,
>>>>> Please check whether the certificate has expired.
>>>>> Dilli
>>>>>
>>>>> On Wed, Sep 30, 2015 at 4:28 PM, Don Bosco Durai <bo...@apache.org>
>>>>> wrote:
>>>>>
>>>>>> Any other changes you can think of? JDK changes, etcs?
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Bosco
>>>>>>
>>>>>>
>>>>>> From: Aneela Saleem <an...@platalytics.com>
>>>>>> Reply-To: <us...@ranger.incubator.apache.org>
>>>>>> Date: Wednesday, September 30, 2015 at 9:37 PM
>>>>>> To: <us...@ranger.incubator.apache.org>
>>>>>> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>>>>>>
>>>>>> It was working fine one month ago. But now the same issue is occurred.
>>>>>>
>>>>>> On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleem <
>>>>>> aneela@platalytics.com> wrote:
>>>>>>
>>>>>>> Hi all,
>>>>>>>
>>>>>>> I followed all the following steps i.e.,
>>>>>>>
>>>>>>> cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts
>>>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
>>>>>>>
>>>>>>> keytool -import -trustcacerts -alias openLdap -file cert.pem
>>>>>>> -keystore /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
>>>>>>> (where cert.pem has the the LDAPS cert)
>>>>>>>
>>>>>>> Add java option
>>>>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036
>>>>>>> /ranger-usersync/userSyncCAcerts
>>>>>>> To
>>>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh
>>>>>>>
>>>>>>> Where it invokes java command like the following
>>>>>>>
>>>>>>> nohup java -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
>>>>>>> . . .
>>>>>>>
>>>>>>>
>>>>>>> But i'm unable to sync LDAP contacts in Ranger due to certificates
>>>>>>> validation issues. Following are the logs
>>>>>>>
>>>>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] -
>>>>>>> Starting User Sync Service!
>>>>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] -
>>>>>>> Enabling Unix Auth Service!
>>>>>>> 30 Sep 2015 14:48:56 INFO UserGroupSync [UnixUserSyncThread] -
>>>>>>> initializing sink:
>>>>>>> org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder
>>>>>>> 30 Sep 2015 14:48:57 WARN NativeCodeLoader [main] - Unable to load
>>>>>>> native-hadoop library for your platform... using builtin-java classes where
>>>>>>> applicable
>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] -
>>>>>>> Enabling Protocol: [SSLv2Hello]
>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] -
>>>>>>> Enabling Protocol: [TLSv1]
>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] -
>>>>>>> Enabling Protocol: [TLSv1.1]
>>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] -
>>>>>>> Enabling Protocol: [TLSv1.2]
>>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread]
>>>>>>> - LdapUserGroupBuilder created
>>>>>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] -
>>>>>>> initializing source:
>>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder
>>>>>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] -
>>>>>>> Begin: initial load of user/group from source==>sink
>>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread]
>>>>>>> - LDAPUserGroupBuilder updateSink started
>>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread]
>>>>>>> - LdapUserGroupBuilder initialization started
>>>>>>> 30 Sep 2015 14:48:58 ERROR UserGroupSync [UnixUserSyncThread] -
>>>>>>> Failed to initialize UserGroup source/sink. Will retry after 21600000
>>>>>>> milliseconds. Error details:
>>>>>>> javax.naming.CommunicationException: simple bind failed:
>>>>>>> platalytics.com:636 [Root exception is
>>>>>>> javax.net.ssl.SSLHandshakeException:
>>>>>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>>>>>>> valid certification path to requested target]
>>>>>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218)
>>>>>>> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
>>>>>>> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
>>>>>>> at
>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
>>>>>>> at
>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
>>>>>>> at
>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
>>>>>>> at
>>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
>>>>>>> at
>>>>>>> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
>>>>>>> at
>>>>>>> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
>>>>>>> at javax.naming.InitialContext.init(InitialContext.java:242)
>>>>>>> at
>>>>>>> javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153)
>>>>>>> at
>>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:149)
>>>>>>> at
>>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:261)
>>>>>>> at
>>>>>>> org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
>>>>>>> at java.lang.Thread.run(Thread.java:745)
>>>>>>> Caused by: javax.net.ssl.SSLHandshakeException:
>>>>>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>>>>>>> valid certification path to requested target
>>>>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>>>>>>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904)
>>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)
>>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)
>>>>>>> at
>>>>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446)
>>>>>>> at
>>>>>>> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
>>>>>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)
>>>>>>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:849)
>>>>>>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
>>>>>>> at
>>>>>>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
>>>>>>> at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709)
>>>>>>> at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
>>>>>>> at
>>>>>>> java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
>>>>>>> at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
>>>>>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431)
>>>>>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404)
>>>>>>> at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358)
>>>>>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213)
>>>>>>> ... 14 more
>>>>>>> Caused by: sun.security.validator.ValidatorException: PKIX path
>>>>>>> building failed:
>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>>>>>>> valid certification path to requested target
>>>>>>> at
>>>>>>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
>>>>>>> at
>>>>>>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
>>>>>>> at sun.security.validator.Validator.validate(Validator.java:260)
>>>>>>> at
>>>>>>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
>>>>>>> at
>>>>>>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
>>>>>>> at
>>>>>>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
>>>>>>> at
>>>>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428)
>>>>>>> ... 27 more
>>>>>>> Caused by:
>>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>>>>>>> valid certification path to requested target
>>>>>>> at
>>>>>>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
>>>>>>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
>>>>>>> at
>>>>>>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
>>>>>>> ... 33 more
>>>>>>>
>>>>>>> And following is the output of nohup command:
>>>>>>>
>>>>>>> Host key verification failed.
>>>>>>>
>>>>>>> Can someone please help me figure out the issue?
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
Re: Issues with usersync (LDAPS certificate not validated)
Posted by Sailaja Polavarapu <sp...@hortonworks.com>.
Are there any intermediate certs? If so, are they also added in the trust store?
And just to make sure, in the ldap configuration, are you using same trust store for performing ldapsearch?
From: Aneela Saleem
Reply-To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>"
Date: Sunday, October 4, 2015 at 10:15 AM
To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>"
Subject: Re: Issues with usersync (LDAPS certificate not validated)
Is there any issue with JAVA keystore?
On Fri, Oct 2, 2015 at 9:59 AM, Aneela Saleem <an...@platalytics.com>> wrote:
Yes following command works fine
ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldaps://platalytics.com:636<http://platalytics.com:636> -b "dc=platalytics,dc=com" -s sub 'cn=aneela'
On Thu, Oct 1, 2015 at 7:35 PM, Don Bosco Durai <bo...@apache.org>> wrote:
It is surprising that it will just stop working. Are you able to do ldapsearch from command line? Just to make sure there is nothing wrong on the OpenLDAP side?
Thanks
Bosco
From: Aneela Saleem <an...@platalytics.com>>
Reply-To: <us...@ranger.incubator.apache.org>>
Date: Thursday, October 1, 2015 at 11:55 PM
To: <us...@ranger.incubator.apache.org>>
Subject: Re: Issues with usersync (LDAPS certificate not validated)
I also checked it on another machine. Same issue is there
On Thu, Oct 1, 2015 at 10:03 PM, Aneela Saleem <an...@platalytics.com>> wrote:
I guess no JDK changes. And i re-checked certificate infact generated a new one. Still same issue.
On Thu, Oct 1, 2015 at 6:16 PM, Dilli Dorai <di...@gmail.com>> wrote:
Aneela,
Please check whether the certificate has expired.
Dilli
On Wed, Sep 30, 2015 at 4:28 PM, Don Bosco Durai <bo...@apache.org>> wrote:
Any other changes you can think of? JDK changes, etcs?
Thanks
Bosco
From: Aneela Saleem <an...@platalytics.com>>
Reply-To: <us...@ranger.incubator.apache.org>>
Date: Wednesday, September 30, 2015 at 9:37 PM
To: <us...@ranger.incubator.apache.org>>
Subject: Re: Issues with usersync (LDAPS certificate not validated)
It was working fine one month ago. But now the same issue is occurred.
On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleem <an...@platalytics.com>> wrote:
Hi all,
I followed all the following steps i.e.,
cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
keytool -import -trustcacerts -alias openLdap -file cert.pem -keystore /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
(where cert.pem has the the LDAPS cert)
Add java option
-Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
To
/usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh
Where it invokes java command like the following
nohup java -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts . . .
But i'm unable to sync LDAP contacts in Ranger due to certificates validation issues. Following are the logs
30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Starting User Sync Service!
30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Enabling Unix Auth Service!
30 Sep 2015 14:48:56 INFO UserGroupSync [UnixUserSyncThread] - initializing sink: org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder
30 Sep 2015 14:48:57 WARN NativeCodeLoader [main] - Unable to load native-hadoop library for your platform... using builtin-java classes where applicable
30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling Protocol: [SSLv2Hello]
30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1]
30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1.1]
30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling Protocol: [TLSv1.2]
30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder created
30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - initializing source: org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder
30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - Begin: initial load of user/group from source==>sink
30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LDAPUserGroupBuilder updateSink started
30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LdapUserGroupBuilder initialization started
30 Sep 2015 14:48:58 ERROR UserGroupSync [UnixUserSyncThread] - Failed to initialize UserGroup source/sink. Will retry after 21600000 milliseconds. Error details:
javax.naming.CommunicationException: simple bind failed: platalytics.com:636<http://platalytics.com:636> [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
at javax.naming.InitialContext.init(InitialContext.java:242)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153)
at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:149)
at org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:261)
at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:849)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404)
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213)
... 14 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428)
... 27 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
... 33 more
And following is the output of nohup command:
Host key verification failed.
Can someone please help me figure out the issue?
Re: Issues with usersync (LDAPS certificate not validated)
Posted by Aneela Saleem <an...@platalytics.com>.
Is there any issue with JAVA keystore?
On Fri, Oct 2, 2015 at 9:59 AM, Aneela Saleem <an...@platalytics.com>
wrote:
> Yes following command works fine
>
> ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldaps://
> platalytics.com:636 -b "dc=platalytics,dc=com" -s sub 'cn=aneela'
>
> On Thu, Oct 1, 2015 at 7:35 PM, Don Bosco Durai <bo...@apache.org> wrote:
>
>> It is surprising that it will just stop working. Are you able to do
>> ldapsearch from command line? Just to make sure there is nothing wrong on
>> the OpenLDAP side?
>>
>> Thanks
>>
>> Bosco
>>
>>
>> From: Aneela Saleem <an...@platalytics.com>
>> Reply-To: <us...@ranger.incubator.apache.org>
>> Date: Thursday, October 1, 2015 at 11:55 PM
>>
>> To: <us...@ranger.incubator.apache.org>
>> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>>
>> I also checked it on another machine. Same issue is there
>>
>> On Thu, Oct 1, 2015 at 10:03 PM, Aneela Saleem <an...@platalytics.com>
>> wrote:
>>
>>> I guess no JDK changes. And i re-checked certificate infact generated a
>>> new one. Still same issue.
>>>
>>> On Thu, Oct 1, 2015 at 6:16 PM, Dilli Dorai <di...@gmail.com>
>>> wrote:
>>>
>>>> Aneela,
>>>> Please check whether the certificate has expired.
>>>> Dilli
>>>>
>>>> On Wed, Sep 30, 2015 at 4:28 PM, Don Bosco Durai <bo...@apache.org>
>>>> wrote:
>>>>
>>>>> Any other changes you can think of? JDK changes, etcs?
>>>>>
>>>>> Thanks
>>>>>
>>>>> Bosco
>>>>>
>>>>>
>>>>> From: Aneela Saleem <an...@platalytics.com>
>>>>> Reply-To: <us...@ranger.incubator.apache.org>
>>>>> Date: Wednesday, September 30, 2015 at 9:37 PM
>>>>> To: <us...@ranger.incubator.apache.org>
>>>>> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>>>>>
>>>>> It was working fine one month ago. But now the same issue is occurred.
>>>>>
>>>>> On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleem <aneela@platalytics.com
>>>>> > wrote:
>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> I followed all the following steps i.e.,
>>>>>>
>>>>>> cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts
>>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
>>>>>>
>>>>>> keytool -import -trustcacerts -alias openLdap -file cert.pem
>>>>>> -keystore /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
>>>>>> (where cert.pem has the the LDAPS cert)
>>>>>>
>>>>>> Add java option
>>>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036
>>>>>> /ranger-usersync/userSyncCAcerts
>>>>>> To
>>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh
>>>>>>
>>>>>> Where it invokes java command like the following
>>>>>>
>>>>>> nohup java -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
>>>>>> . . .
>>>>>>
>>>>>>
>>>>>> But i'm unable to sync LDAP contacts in Ranger due to certificates
>>>>>> validation issues. Following are the logs
>>>>>>
>>>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] -
>>>>>> Starting User Sync Service!
>>>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] -
>>>>>> Enabling Unix Auth Service!
>>>>>> 30 Sep 2015 14:48:56 INFO UserGroupSync [UnixUserSyncThread] -
>>>>>> initializing sink:
>>>>>> org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder
>>>>>> 30 Sep 2015 14:48:57 WARN NativeCodeLoader [main] - Unable to load
>>>>>> native-hadoop library for your platform... using builtin-java classes where
>>>>>> applicable
>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] -
>>>>>> Enabling Protocol: [SSLv2Hello]
>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] -
>>>>>> Enabling Protocol: [TLSv1]
>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] -
>>>>>> Enabling Protocol: [TLSv1.1]
>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] -
>>>>>> Enabling Protocol: [TLSv1.2]
>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread]
>>>>>> - LdapUserGroupBuilder created
>>>>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] -
>>>>>> initializing source:
>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder
>>>>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] -
>>>>>> Begin: initial load of user/group from source==>sink
>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread]
>>>>>> - LDAPUserGroupBuilder updateSink started
>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread]
>>>>>> - LdapUserGroupBuilder initialization started
>>>>>> 30 Sep 2015 14:48:58 ERROR UserGroupSync [UnixUserSyncThread] -
>>>>>> Failed to initialize UserGroup source/sink. Will retry after 21600000
>>>>>> milliseconds. Error details:
>>>>>> javax.naming.CommunicationException: simple bind failed:
>>>>>> platalytics.com:636 [Root exception is
>>>>>> javax.net.ssl.SSLHandshakeException:
>>>>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>>>>>> valid certification path to requested target]
>>>>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218)
>>>>>> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
>>>>>> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
>>>>>> at
>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
>>>>>> at
>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
>>>>>> at
>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
>>>>>> at
>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
>>>>>> at
>>>>>> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
>>>>>> at
>>>>>> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
>>>>>> at javax.naming.InitialContext.init(InitialContext.java:242)
>>>>>> at
>>>>>> javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153)
>>>>>> at
>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:149)
>>>>>> at
>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:261)
>>>>>> at
>>>>>> org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
>>>>>> at java.lang.Thread.run(Thread.java:745)
>>>>>> Caused by: javax.net.ssl.SSLHandshakeException:
>>>>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>>>>>> valid certification path to requested target
>>>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>>>>>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904)
>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)
>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)
>>>>>> at
>>>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446)
>>>>>> at
>>>>>> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
>>>>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)
>>>>>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:849)
>>>>>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
>>>>>> at
>>>>>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
>>>>>> at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709)
>>>>>> at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
>>>>>> at
>>>>>> java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
>>>>>> at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
>>>>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431)
>>>>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404)
>>>>>> at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358)
>>>>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213)
>>>>>> ... 14 more
>>>>>> Caused by: sun.security.validator.ValidatorException: PKIX path
>>>>>> building failed:
>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>>>>>> valid certification path to requested target
>>>>>> at
>>>>>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
>>>>>> at
>>>>>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
>>>>>> at sun.security.validator.Validator.validate(Validator.java:260)
>>>>>> at
>>>>>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
>>>>>> at
>>>>>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
>>>>>> at
>>>>>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
>>>>>> at
>>>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428)
>>>>>> ... 27 more
>>>>>> Caused by:
>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>>>>>> valid certification path to requested target
>>>>>> at
>>>>>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
>>>>>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
>>>>>> at
>>>>>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
>>>>>> ... 33 more
>>>>>>
>>>>>> And following is the output of nohup command:
>>>>>>
>>>>>> Host key verification failed.
>>>>>>
>>>>>> Can someone please help me figure out the issue?
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>
Re: Issues with usersync (LDAPS certificate not validated)
Posted by Aneela Saleem <an...@platalytics.com>.
Yes following command works fine
ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldaps://
platalytics.com:636 -b "dc=platalytics,dc=com" -s sub 'cn=aneela'
On Thu, Oct 1, 2015 at 7:35 PM, Don Bosco Durai <bo...@apache.org> wrote:
> It is surprising that it will just stop working. Are you able to do
> ldapsearch from command line? Just to make sure there is nothing wrong on
> the OpenLDAP side?
>
> Thanks
>
> Bosco
>
>
> From: Aneela Saleem <an...@platalytics.com>
> Reply-To: <us...@ranger.incubator.apache.org>
> Date: Thursday, October 1, 2015 at 11:55 PM
>
> To: <us...@ranger.incubator.apache.org>
> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>
> I also checked it on another machine. Same issue is there
>
> On Thu, Oct 1, 2015 at 10:03 PM, Aneela Saleem <an...@platalytics.com>
> wrote:
>
>> I guess no JDK changes. And i re-checked certificate infact generated a
>> new one. Still same issue.
>>
>> On Thu, Oct 1, 2015 at 6:16 PM, Dilli Dorai <di...@gmail.com>
>> wrote:
>>
>>> Aneela,
>>> Please check whether the certificate has expired.
>>> Dilli
>>>
>>> On Wed, Sep 30, 2015 at 4:28 PM, Don Bosco Durai <bo...@apache.org>
>>> wrote:
>>>
>>>> Any other changes you can think of? JDK changes, etcs?
>>>>
>>>> Thanks
>>>>
>>>> Bosco
>>>>
>>>>
>>>> From: Aneela Saleem <an...@platalytics.com>
>>>> Reply-To: <us...@ranger.incubator.apache.org>
>>>> Date: Wednesday, September 30, 2015 at 9:37 PM
>>>> To: <us...@ranger.incubator.apache.org>
>>>> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>>>>
>>>> It was working fine one month ago. But now the same issue is occurred.
>>>>
>>>> On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleem <an...@platalytics.com>
>>>> wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> I followed all the following steps i.e.,
>>>>>
>>>>> cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts
>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
>>>>>
>>>>> keytool -import -trustcacerts -alias openLdap -file cert.pem
>>>>> -keystore /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
>>>>> (where cert.pem has the the LDAPS cert)
>>>>>
>>>>> Add java option
>>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036
>>>>> /ranger-usersync/userSyncCAcerts
>>>>> To
>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh
>>>>>
>>>>> Where it invokes java command like the following
>>>>>
>>>>> nohup java -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
>>>>> . . .
>>>>>
>>>>>
>>>>> But i'm unable to sync LDAP contacts in Ranger due to certificates
>>>>> validation issues. Following are the logs
>>>>>
>>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Starting
>>>>> User Sync Service!
>>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Enabling
>>>>> Unix Auth Service!
>>>>> 30 Sep 2015 14:48:56 INFO UserGroupSync [UnixUserSyncThread] -
>>>>> initializing sink:
>>>>> org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder
>>>>> 30 Sep 2015 14:48:57 WARN NativeCodeLoader [main] - Unable to load
>>>>> native-hadoop library for your platform... using builtin-java classes where
>>>>> applicable
>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
>>>>> Protocol: [SSLv2Hello]
>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
>>>>> Protocol: [TLSv1]
>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
>>>>> Protocol: [TLSv1.1]
>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
>>>>> Protocol: [TLSv1.2]
>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
>>>>> LdapUserGroupBuilder created
>>>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] -
>>>>> initializing source:
>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder
>>>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - Begin:
>>>>> initial load of user/group from source==>sink
>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
>>>>> LDAPUserGroupBuilder updateSink started
>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
>>>>> LdapUserGroupBuilder initialization started
>>>>> 30 Sep 2015 14:48:58 ERROR UserGroupSync [UnixUserSyncThread] - Failed
>>>>> to initialize UserGroup source/sink. Will retry after 21600000
>>>>> milliseconds. Error details:
>>>>> javax.naming.CommunicationException: simple bind failed:
>>>>> platalytics.com:636 [Root exception is
>>>>> javax.net.ssl.SSLHandshakeException:
>>>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>>>>> valid certification path to requested target]
>>>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218)
>>>>> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
>>>>> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
>>>>> at
>>>>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
>>>>> at
>>>>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
>>>>> at
>>>>> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
>>>>> at
>>>>> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
>>>>> at
>>>>> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
>>>>> at
>>>>> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
>>>>> at javax.naming.InitialContext.init(InitialContext.java:242)
>>>>> at
>>>>> javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153)
>>>>> at
>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:149)
>>>>> at
>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:261)
>>>>> at
>>>>> org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
>>>>> at java.lang.Thread.run(Thread.java:745)
>>>>> Caused by: javax.net.ssl.SSLHandshakeException:
>>>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>>>>> valid certification path to requested target
>>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>>>>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904)
>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)
>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)
>>>>> at
>>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446)
>>>>> at
>>>>> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
>>>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)
>>>>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:849)
>>>>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
>>>>> at
>>>>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
>>>>> at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709)
>>>>> at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
>>>>> at
>>>>> java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
>>>>> at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
>>>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431)
>>>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404)
>>>>> at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358)
>>>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213)
>>>>> ... 14 more
>>>>> Caused by: sun.security.validator.ValidatorException: PKIX path
>>>>> building failed:
>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>>>>> valid certification path to requested target
>>>>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
>>>>> at
>>>>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
>>>>> at sun.security.validator.Validator.validate(Validator.java:260)
>>>>> at
>>>>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
>>>>> at
>>>>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
>>>>> at
>>>>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
>>>>> at
>>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428)
>>>>> ... 27 more
>>>>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
>>>>> unable to find valid certification path to requested target
>>>>> at
>>>>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
>>>>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
>>>>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
>>>>> ... 33 more
>>>>>
>>>>> And following is the output of nohup command:
>>>>>
>>>>> Host key verification failed.
>>>>>
>>>>> Can someone please help me figure out the issue?
>>>>>
>>>>
>>>>
>>>
>>
>
Re: Issues with usersync (LDAPS certificate not validated)
Posted by Don Bosco Durai <bo...@apache.org>.
It is surprising that it will just stop working. Are you able to do
ldapsearch from command line? Just to make sure there is nothing wrong on
the OpenLDAP side?
Thanks
Bosco
From: Aneela Saleem <an...@platalytics.com>
Reply-To: <us...@ranger.incubator.apache.org>
Date: Thursday, October 1, 2015 at 11:55 PM
To: <us...@ranger.incubator.apache.org>
Subject: Re: Issues with usersync (LDAPS certificate not validated)
> I also checked it on another machine. Same issue is there
>
> On Thu, Oct 1, 2015 at 10:03 PM, Aneela Saleem <an...@platalytics.com> wrote:
>> I guess no JDK changes. And i re-checked certificate infact generated a new
>> one. Still same issue.
>>
>> On Thu, Oct 1, 2015 at 6:16 PM, Dilli Dorai <di...@gmail.com> wrote:
>>> Aneela,
>>> Please check whether the certificate has expired.
>>> Dilli
>>>
>>> On Wed, Sep 30, 2015 at 4:28 PM, Don Bosco Durai <bo...@apache.org> wrote:
>>>> Any other changes you can think of? JDK changes, etcs?
>>>>
>>>> Thanks
>>>>
>>>> Bosco
>>>>
>>>>
>>>> From: Aneela Saleem <an...@platalytics.com>
>>>> Reply-To: <us...@ranger.incubator.apache.org>
>>>> Date: Wednesday, September 30, 2015 at 9:37 PM
>>>> To: <us...@ranger.incubator.apache.org>
>>>> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>>>>
>>>>> It was working fine one month ago. But now the same issue is occurred.
>>>>>
>>>>> On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleem <an...@platalytics.com>
>>>>> wrote:
>>>>>> Hi all,
>>>>>>
>>>>>> I followed all the following steps i.e.,
>>>>>>
>>>>>> cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts
>>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
>>>>>>
>>>>>> keytool -import -trustcacerts -alias openLdap -file cert.pem -keystore
>>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
>>>>>> (where cert.pem has the the LDAPS cert)
>>>>>>
>>>>>> Add java option
>>>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSync
>>>>>> CAcerts
>>>>>> To
>>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh
>>>>>>
>>>>>> Where it invokes java command like the following
>>>>>>
>>>>>> nohup java
>>>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSync
>>>>>> CAcerts . . .
>>>>>>
>>>>>>
>>>>>> But i'm unable to sync LDAP contacts in Ranger due to certificates
>>>>>> validation issues. Following are the logs
>>>>>>
>>>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Starting
>>>>>> User Sync Service!
>>>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Enabling
>>>>>> Unix Auth Service!
>>>>>> 30 Sep 2015 14:48:56 INFO UserGroupSync [UnixUserSyncThread] -
>>>>>> initializing sink:
>>>>>> org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder
>>>>>> 30 Sep 2015 14:48:57 WARN NativeCodeLoader [main] - Unable to load
>>>>>> native-hadoop library for your platform... using builtin-java classes
>>>>>> where applicable
>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
>>>>>> Protocol: [SSLv2Hello]
>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
>>>>>> Protocol: [TLSv1]
>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
>>>>>> Protocol: [TLSv1.1]
>>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
>>>>>> Protocol: [TLSv1.2]
>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
>>>>>> LdapUserGroupBuilder created
>>>>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] -
>>>>>> initializing source:
>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder
>>>>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - Begin:
>>>>>> initial load of user/group from source==>sink
>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
>>>>>> LDAPUserGroupBuilder updateSink started
>>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
>>>>>> LdapUserGroupBuilder initialization started
>>>>>> 30 Sep 2015 14:48:58 ERROR UserGroupSync [UnixUserSyncThread] - Failed to
>>>>>> initialize UserGroup source/sink. Will retry after 21600000 milliseconds.
>>>>>> Error details:
>>>>>> javax.naming.CommunicationException: simple bind failed:
>>>>>> platalytics.com:636 <http://platalytics.com:636> [Root exception is
>>>>>> javax.net.ssl.SSLHandshakeException:
>>>>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>>>>> find valid certification path to requested target]
>>>>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218)
>>>>>> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
>>>>>> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
>>>>>> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
>>>>>> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
>>>>>> at
>>>>>> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:1
>>>>>> 54)
>>>>>> at
>>>>>>
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84>>>>>>
)
>>>>>> at
>>>>>> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
>>>>>> at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
>>>>>> at javax.naming.InitialContext.init(InitialContext.java:242)
>>>>>> at
>>>>>> javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153)
>>>>>> at
>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapCon
>>>>>> text(LdapUserGroupBuilder.java:149)
>>>>>> at
>>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(Ld
>>>>>> apUserGroupBuilder.java:261)
>>>>>> at
>>>>>> org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
>>>>>> at java.lang.Thread.run(Thread.java:745)
>>>>>> Caused by: javax.net.ssl.SSLHandshakeException:
>>>>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>>>>> find valid certification path to requested target
>>>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>>>>>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904)
>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)
>>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)
>>>>>> at
>>>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java
>>>>>> :1446)
>>>>>> at
>>>>>> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:20
>>>>>> 9)
>>>>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)
>>>>>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:849)
>>>>>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
>>>>>> at
>>>>>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java
>>>>>> :1332)
>>>>>> at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709)
>>>>>> at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
>>>>>> at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
>>>>>> at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
>>>>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431)
>>>>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404)
>>>>>> at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358)
>>>>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213)
>>>>>> ... 14 more
>>>>>> Caused by: sun.security.validator.ValidatorException: PKIX path building
>>>>>> failed: sun.security.provider.certpath.SunCertPathBuilderException:
>>>>>> unable to find valid certification path to requested target
>>>>>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
>>>>>> at
>>>>>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:29
>>>>>> 2)
>>>>>> at sun.security.validator.Validator.validate(Validator.java:260)
>>>>>> at
>>>>>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:
>>>>>> 326)
>>>>>> at
>>>>>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.j
>>>>>> ava:231)
>>>>>> at
>>>>>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManager
>>>>>> Impl.java:126)
>>>>>> at
>>>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java
>>>>>> :1428)
>>>>>> ... 27 more
>>>>>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
>>>>>> unable to find valid certification path to requested target
>>>>>> at
>>>>>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPath
>>>>>> Builder.java:196)
>>>>>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
>>>>>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
>>>>>> ... 33 more
>>>>>>
>>>>>> And following is the output of nohup command:
>>>>>>
>>>>>> Host key verification failed.
>>>>>>
>>>>>> Can someone please help me figure out the issue?
>>>>>
>>>
>>
>
Re: Issues with usersync (LDAPS certificate not validated)
Posted by Aneela Saleem <an...@platalytics.com>.
I also checked it on another machine. Same issue is there
On Thu, Oct 1, 2015 at 10:03 PM, Aneela Saleem <an...@platalytics.com>
wrote:
> I guess no JDK changes. And i re-checked certificate infact generated a
> new one. Still same issue.
>
> On Thu, Oct 1, 2015 at 6:16 PM, Dilli Dorai <di...@gmail.com> wrote:
>
>> Aneela,
>> Please check whether the certificate has expired.
>> Dilli
>>
>> On Wed, Sep 30, 2015 at 4:28 PM, Don Bosco Durai <bo...@apache.org>
>> wrote:
>>
>>> Any other changes you can think of? JDK changes, etcs?
>>>
>>> Thanks
>>>
>>> Bosco
>>>
>>>
>>> From: Aneela Saleem <an...@platalytics.com>
>>> Reply-To: <us...@ranger.incubator.apache.org>
>>> Date: Wednesday, September 30, 2015 at 9:37 PM
>>> To: <us...@ranger.incubator.apache.org>
>>> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>>>
>>> It was working fine one month ago. But now the same issue is occurred.
>>>
>>> On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleem <an...@platalytics.com>
>>> wrote:
>>>
>>>> Hi all,
>>>>
>>>> I followed all the following steps i.e.,
>>>>
>>>> cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts /usr/hdp/2
>>>> .2.0.0-2036/ranger-usersync/userSyncCAcerts
>>>>
>>>> keytool -import -trustcacerts -alias openLdap -file cert.pem -keystore
>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
>>>> (where cert.pem has the the LDAPS cert)
>>>>
>>>> Add java option
>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036
>>>> /ranger-usersync/userSyncCAcerts
>>>> To
>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh
>>>>
>>>> Where it invokes java command like the following
>>>>
>>>> nohup java -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
>>>> . . .
>>>>
>>>>
>>>> But i'm unable to sync LDAP contacts in Ranger due to certificates
>>>> validation issues. Following are the logs
>>>>
>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Starting
>>>> User Sync Service!
>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Enabling
>>>> Unix Auth Service!
>>>> 30 Sep 2015 14:48:56 INFO UserGroupSync [UnixUserSyncThread] -
>>>> initializing sink:
>>>> org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder
>>>> 30 Sep 2015 14:48:57 WARN NativeCodeLoader [main] - Unable to load
>>>> native-hadoop library for your platform... using builtin-java classes where
>>>> applicable
>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
>>>> Protocol: [SSLv2Hello]
>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
>>>> Protocol: [TLSv1]
>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
>>>> Protocol: [TLSv1.1]
>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
>>>> Protocol: [TLSv1.2]
>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
>>>> LdapUserGroupBuilder created
>>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] -
>>>> initializing source:
>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder
>>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - Begin:
>>>> initial load of user/group from source==>sink
>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
>>>> LDAPUserGroupBuilder updateSink started
>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
>>>> LdapUserGroupBuilder initialization started
>>>> 30 Sep 2015 14:48:58 ERROR UserGroupSync [UnixUserSyncThread] - Failed
>>>> to initialize UserGroup source/sink. Will retry after 21600000
>>>> milliseconds. Error details:
>>>> javax.naming.CommunicationException: simple bind failed:
>>>> platalytics.com:636 [Root exception is
>>>> javax.net.ssl.SSLHandshakeException:
>>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>>>> valid certification path to requested target]
>>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218)
>>>> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
>>>> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
>>>> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
>>>> at
>>>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
>>>> at
>>>> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
>>>> at
>>>> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
>>>> at
>>>> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
>>>> at
>>>> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
>>>> at javax.naming.InitialContext.init(InitialContext.java:242)
>>>> at
>>>> javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153)
>>>> at
>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:149)
>>>> at
>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:261)
>>>> at
>>>> org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
>>>> at java.lang.Thread.run(Thread.java:745)
>>>> Caused by: javax.net.ssl.SSLHandshakeException:
>>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>>>> valid certification path to requested target
>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>>>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904)
>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)
>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)
>>>> at
>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446)
>>>> at
>>>> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
>>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)
>>>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:849)
>>>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
>>>> at
>>>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
>>>> at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709)
>>>> at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
>>>> at
>>>> java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
>>>> at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
>>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431)
>>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404)
>>>> at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358)
>>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213)
>>>> ... 14 more
>>>> Caused by: sun.security.validator.ValidatorException: PKIX path
>>>> building failed:
>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>>>> valid certification path to requested target
>>>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
>>>> at
>>>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
>>>> at sun.security.validator.Validator.validate(Validator.java:260)
>>>> at
>>>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
>>>> at
>>>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
>>>> at
>>>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
>>>> at
>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428)
>>>> ... 27 more
>>>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
>>>> unable to find valid certification path to requested target
>>>> at
>>>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
>>>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
>>>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
>>>> ... 33 more
>>>>
>>>> And following is the output of nohup command:
>>>>
>>>> Host key verification failed.
>>>>
>>>> Can someone please help me figure out the issue?
>>>>
>>>
>>>
>>
>
Re: Issues with usersync (LDAPS certificate not validated)
Posted by Aneela Saleem <an...@platalytics.com>.
I guess no JDK changes. And i re-checked certificate infact generated a new
one. Still same issue.
On Thu, Oct 1, 2015 at 6:16 PM, Dilli Dorai <di...@gmail.com> wrote:
> Aneela,
> Please check whether the certificate has expired.
> Dilli
>
> On Wed, Sep 30, 2015 at 4:28 PM, Don Bosco Durai <bo...@apache.org> wrote:
>
>> Any other changes you can think of? JDK changes, etcs?
>>
>> Thanks
>>
>> Bosco
>>
>>
>> From: Aneela Saleem <an...@platalytics.com>
>> Reply-To: <us...@ranger.incubator.apache.org>
>> Date: Wednesday, September 30, 2015 at 9:37 PM
>> To: <us...@ranger.incubator.apache.org>
>> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>>
>> It was working fine one month ago. But now the same issue is occurred.
>>
>> On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleem <an...@platalytics.com>
>> wrote:
>>
>>> Hi all,
>>>
>>> I followed all the following steps i.e.,
>>>
>>> cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts /usr/hdp/2
>>> .2.0.0-2036/ranger-usersync/userSyncCAcerts
>>>
>>> keytool -import -trustcacerts -alias openLdap -file cert.pem -keystore
>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
>>> (where cert.pem has the the LDAPS cert)
>>>
>>> Add java option
>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036
>>> /ranger-usersync/userSyncCAcerts
>>> To
>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh
>>>
>>> Where it invokes java command like the following
>>>
>>> nohup java -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
>>> . . .
>>>
>>>
>>> But i'm unable to sync LDAP contacts in Ranger due to certificates
>>> validation issues. Following are the logs
>>>
>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Starting
>>> User Sync Service!
>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Enabling
>>> Unix Auth Service!
>>> 30 Sep 2015 14:48:56 INFO UserGroupSync [UnixUserSyncThread] -
>>> initializing sink:
>>> org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder
>>> 30 Sep 2015 14:48:57 WARN NativeCodeLoader [main] - Unable to load
>>> native-hadoop library for your platform... using builtin-java classes where
>>> applicable
>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
>>> Protocol: [SSLv2Hello]
>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
>>> Protocol: [TLSv1]
>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
>>> Protocol: [TLSv1.1]
>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
>>> Protocol: [TLSv1.2]
>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
>>> LdapUserGroupBuilder created
>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] -
>>> initializing source:
>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder
>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - Begin:
>>> initial load of user/group from source==>sink
>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
>>> LDAPUserGroupBuilder updateSink started
>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
>>> LdapUserGroupBuilder initialization started
>>> 30 Sep 2015 14:48:58 ERROR UserGroupSync [UnixUserSyncThread] - Failed
>>> to initialize UserGroup source/sink. Will retry after 21600000
>>> milliseconds. Error details:
>>> javax.naming.CommunicationException: simple bind failed:
>>> platalytics.com:636 [Root exception is
>>> javax.net.ssl.SSLHandshakeException:
>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>>> valid certification path to requested target]
>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218)
>>> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
>>> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
>>> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
>>> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
>>> at
>>> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
>>> at
>>> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
>>> at
>>> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
>>> at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
>>> at javax.naming.InitialContext.init(InitialContext.java:242)
>>> at
>>> javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153)
>>> at
>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:149)
>>> at
>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:261)
>>> at
>>> org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
>>> at java.lang.Thread.run(Thread.java:745)
>>> Caused by: javax.net.ssl.SSLHandshakeException:
>>> sun.security.validator.ValidatorException: PKIX path building failed:
>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>>> valid certification path to requested target
>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904)
>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)
>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)
>>> at
>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446)
>>> at
>>> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)
>>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:849)
>>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
>>> at
>>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
>>> at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709)
>>> at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
>>> at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
>>> at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431)
>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404)
>>> at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358)
>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213)
>>> ... 14 more
>>> Caused by: sun.security.validator.ValidatorException: PKIX path building
>>> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
>>> to find valid certification path to requested target
>>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
>>> at
>>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
>>> at sun.security.validator.Validator.validate(Validator.java:260)
>>> at
>>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
>>> at
>>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
>>> at
>>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
>>> at
>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428)
>>> ... 27 more
>>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
>>> unable to find valid certification path to requested target
>>> at
>>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
>>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
>>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
>>> ... 33 more
>>>
>>> And following is the output of nohup command:
>>>
>>> Host key verification failed.
>>>
>>> Can someone please help me figure out the issue?
>>>
>>
>>
>
Re: Issues with usersync (LDAPS certificate not validated)
Posted by Dilli Dorai <di...@gmail.com>.
Aneela,
Please check whether the certificate has expired.
Dilli
On Wed, Sep 30, 2015 at 4:28 PM, Don Bosco Durai <bo...@apache.org> wrote:
> Any other changes you can think of? JDK changes, etcs?
>
> Thanks
>
> Bosco
>
>
> From: Aneela Saleem <an...@platalytics.com>
> Reply-To: <us...@ranger.incubator.apache.org>
> Date: Wednesday, September 30, 2015 at 9:37 PM
> To: <us...@ranger.incubator.apache.org>
> Subject: Re: Issues with usersync (LDAPS certificate not validated)
>
> It was working fine one month ago. But now the same issue is occurred.
>
> On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleem <an...@platalytics.com>
> wrote:
>
>> Hi all,
>>
>> I followed all the following steps i.e.,
>>
>> cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts /usr/hdp/2
>> .2.0.0-2036/ranger-usersync/userSyncCAcerts
>>
>> keytool -import -trustcacerts -alias openLdap -file cert.pem -keystore
>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
>> (where cert.pem has the the LDAPS cert)
>>
>> Add java option
>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036
>> /ranger-usersync/userSyncCAcerts
>> To
>> /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh
>>
>> Where it invokes java command like the following
>>
>> nohup java -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
>> . . .
>>
>>
>> But i'm unable to sync LDAP contacts in Ranger due to certificates
>> validation issues. Following are the logs
>>
>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Starting
>> User Sync Service!
>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Enabling
>> Unix Auth Service!
>> 30 Sep 2015 14:48:56 INFO UserGroupSync [UnixUserSyncThread] -
>> initializing sink:
>> org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder
>> 30 Sep 2015 14:48:57 WARN NativeCodeLoader [main] - Unable to load
>> native-hadoop library for your platform... using builtin-java classes where
>> applicable
>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
>> Protocol: [SSLv2Hello]
>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
>> Protocol: [TLSv1]
>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
>> Protocol: [TLSv1.1]
>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
>> Protocol: [TLSv1.2]
>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
>> LdapUserGroupBuilder created
>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] -
>> initializing source:
>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder
>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - Begin:
>> initial load of user/group from source==>sink
>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
>> LDAPUserGroupBuilder updateSink started
>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
>> LdapUserGroupBuilder initialization started
>> 30 Sep 2015 14:48:58 ERROR UserGroupSync [UnixUserSyncThread] - Failed to
>> initialize UserGroup source/sink. Will retry after 21600000 milliseconds.
>> Error details:
>> javax.naming.CommunicationException: simple bind failed:
>> platalytics.com:636 [Root exception is
>> javax.net.ssl.SSLHandshakeException:
>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>> valid certification path to requested target]
>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218)
>> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
>> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
>> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
>> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
>> at
>> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
>> at
>> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
>> at
>> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
>> at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
>> at javax.naming.InitialContext.init(InitialContext.java:242)
>> at
>> javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153)
>> at
>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:149)
>> at
>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:261)
>> at
>> org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
>> at java.lang.Thread.run(Thread.java:745)
>> Caused by: javax.net.ssl.SSLHandshakeException:
>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>> valid certification path to requested target
>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904)
>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)
>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)
>> at
>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446)
>> at
>> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)
>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:849)
>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
>> at
>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
>> at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709)
>> at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
>> at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
>> at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431)
>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404)
>> at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358)
>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213)
>> ... 14 more
>> Caused by: sun.security.validator.ValidatorException: PKIX path building
>> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
>> to find valid certification path to requested target
>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
>> at
>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
>> at sun.security.validator.Validator.validate(Validator.java:260)
>> at
>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
>> at
>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
>> at
>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
>> at
>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428)
>> ... 27 more
>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>> at
>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
>> ... 33 more
>>
>> And following is the output of nohup command:
>>
>> Host key verification failed.
>>
>> Can someone please help me figure out the issue?
>>
>
>
Re: Issues with usersync (LDAPS certificate not validated)
Posted by Don Bosco Durai <bo...@apache.org>.
Any other changes you can think of? JDK changes, etcs?
Thanks
Bosco
From: Aneela Saleem <an...@platalytics.com>
Reply-To: <us...@ranger.incubator.apache.org>
Date: Wednesday, September 30, 2015 at 9:37 PM
To: <us...@ranger.incubator.apache.org>
Subject: Re: Issues with usersync (LDAPS certificate not validated)
> It was working fine one month ago. But now the same issue is occurred.
>
> On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleem <an...@platalytics.com> wrote:
>> Hi all,
>>
>> I followed all the following steps i.e.,
>>
>> cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts
>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
>>
>> keytool -import -trustcacerts -alias openLdap -file cert.pem -keystore
>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
>> (where cert.pem has the the LDAPS cert)
>>
>> Add java option
>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAce
>> rts
>> To
>> /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh
>>
>> Where it invokes java command like the following
>>
>> nohup java
>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAce
>> rts . . .
>>
>>
>> But i'm unable to sync LDAP contacts in Ranger due to certificates validation
>> issues. Following are the logs
>>
>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Starting User
>> Sync Service!
>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Enabling Unix
>> Auth Service!
>> 30 Sep 2015 14:48:56 INFO UserGroupSync [UnixUserSyncThread] - initializing
>> sink: org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder
>> 30 Sep 2015 14:48:57 WARN NativeCodeLoader [main] - Unable to load
>> native-hadoop library for your platform... using builtin-java classes where
>> applicable
>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
>> Protocol: [SSLv2Hello]
>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
>> Protocol: [TLSv1]
>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
>> Protocol: [TLSv1.1]
>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
>> Protocol: [TLSv1.2]
>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
>> LdapUserGroupBuilder created
>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - initializing
>> source: org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder
>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - Begin:
>> initial load of user/group from source==>sink
>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
>> LDAPUserGroupBuilder updateSink started
>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
>> LdapUserGroupBuilder initialization started
>> 30 Sep 2015 14:48:58 ERROR UserGroupSync [UnixUserSyncThread] - Failed to
>> initialize UserGroup source/sink. Will retry after 21600000 milliseconds.
>> Error details:
>> javax.naming.CommunicationException: simple bind failed: platalytics.com:636
>> <http://platalytics.com:636> [Root exception is
>> javax.net.ssl.SSLHandshakeException:
>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>> valid certification path to requested target]
>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218)
>> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
>> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
>> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
>> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
>> at
>> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
>> at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
>> at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
>> at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
>> at javax.naming.InitialContext.init(InitialContext.java:242)
>> at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153)
>> at
>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext
>> (LdapUserGroupBuilder.java:149)
>> at
>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUs
>> erGroupBuilder.java:261)
>> at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
>> at java.lang.Thread.run(Thread.java:745)
>> Caused by: javax.net.ssl.SSLHandshakeException:
>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>> valid certification path to requested target
>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904)
>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)
>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)
>> at
>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:144
>> 6)
>> at
>> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)
>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:849)
>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
>> at
>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:133
>> 2)
>> at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709)
>> at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
>> at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
>> at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431)
>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404)
>> at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358)
>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213)
>> ... 14 more
>> Caused by: sun.security.validator.ValidatorException: PKIX path building
>> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to
>> find valid certification path to requested target
>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
>> at
>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
>> at sun.security.validator.Validator.validate(Validator.java:260)
>> at
>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
>> at
>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:
>> 231)
>> at
>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl
>> .java:126)
>> at
>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:142
>> 8)
>> ... 27 more
>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable
>> to find valid certification path to requested target
>> at
>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuil
>> der.java:196)
>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
>> ... 33 more
>>
>> And following is the output of nohup command:
>>
>> Host key verification failed.
>>
>> Can someone please help me figure out the issue?
>
Re: Issues with usersync (LDAPS certificate not validated)
Posted by Aneela Saleem <an...@platalytics.com>.
It was working fine one month ago. But now the same issue is occurred.
On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleem <an...@platalytics.com>
wrote:
> Hi all,
>
> I followed all the following steps i.e.,
>
> cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts /usr/hdp/2
> .2.0.0-2036/ranger-usersync/userSyncCAcerts
>
> keytool -import -trustcacerts -alias openLdap -file cert.pem -keystore
> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
> (where cert.pem has the the LDAPS cert)
>
> Add java option
> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036
> /ranger-usersync/userSyncCAcerts
> To
> /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh
>
> Where it invokes java command like the following
>
> nohup java -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts
> . . .
>
>
> But i'm unable to sync LDAP contacts in Ranger due to certificates
> validation issues. Following are the logs
>
> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Starting
> User Sync Service!
> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Enabling
> Unix Auth Service!
> 30 Sep 2015 14:48:56 INFO UserGroupSync [UnixUserSyncThread] -
> initializing sink:
> org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder
> 30 Sep 2015 14:48:57 WARN NativeCodeLoader [main] - Unable to load
> native-hadoop library for your platform... using builtin-java classes where
> applicable
> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
> Protocol: [SSLv2Hello]
> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
> Protocol: [TLSv1]
> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
> Protocol: [TLSv1.1]
> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling
> Protocol: [TLSv1.2]
> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
> LdapUserGroupBuilder created
> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] -
> initializing source:
> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder
> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - Begin:
> initial load of user/group from source==>sink
> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
> LDAPUserGroupBuilder updateSink started
> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] -
> LdapUserGroupBuilder initialization started
> 30 Sep 2015 14:48:58 ERROR UserGroupSync [UnixUserSyncThread] - Failed to
> initialize UserGroup source/sink. Will retry after 21600000 milliseconds.
> Error details:
> javax.naming.CommunicationException: simple bind failed:
> platalytics.com:636 [Root exception is
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target]
> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218)
> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
> at
> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
> at
> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
> at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
> at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
> at javax.naming.InitialContext.init(InitialContext.java:242)
> at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153)
> at
> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:149)
> at
> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:261)
> at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446)
> at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:849)
> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
> at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
> at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709)
> at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
> at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
> at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431)
> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404)
> at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358)
> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213)
> ... 14 more
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
> at
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
> at sun.security.validator.Validator.validate(Validator.java:260)
> at
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
> at
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
> at
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
> at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428)
> ... 27 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> at
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
> ... 33 more
>
> And following is the output of nohup command:
>
> Host key verification failed.
>
> Can someone please help me figure out the issue?
>