The issue is still unresolved. Can someone please guide me. I can't make any progress.
On Tue, Aug 25, 2015 at 9:21 PM, Aneela Saleem <[email protected]> wrote: > Hi Alok! > > Can you please see the above issue? And tell me ASAP because i'm stuck at > this point > > On Tue, Aug 25, 2015 at 12:05 AM, Aneela Saleem <[email protected]> > wrote: > >> I wrote nohup java >> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >> in /usr/local/ranger-usersync/ranger-usersync-services.sh file. I'm >> still getting errors, following are the logs: >> >> 25 Aug 2015 00:01:52 INFO UnixAuthenticationService [main] - Starting >> User Sync Service! >> 25 Aug 2015 00:01:52 INFO UnixAuthenticationService [main] - Enabling >> Unix Auth Service! >> 25 Aug 2015 00:01:52 INFO UserGroupSync [UnixUserSyncThread] - >> initializing sink: >> org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder >> 25 Aug 2015 00:01:52 WARN NativeCodeLoader [main] - Unable to load >> native-hadoop library for your platform... using builtin-java classes where >> applicable >> 25 Aug 2015 00:01:53 INFO UnixAuthenticationService [main] - Enabling >> Protocol: [SSLv2Hello] >> 25 Aug 2015 00:01:53 INFO UnixAuthenticationService [main] - Enabling >> Protocol: [TLSv1] >> 25 Aug 2015 00:01:53 INFO UnixAuthenticationService [main] - Enabling >> Protocol: [TLSv1.1] >> 25 Aug 2015 00:01:53 INFO UnixAuthenticationService [main] - Enabling >> Protocol: [TLSv1.2] >> 25 Aug 2015 00:01:53 INFO LdapUserGroupBuilder [UnixUserSyncThread] - >> LdapUserGroupBuilder created >> 25 Aug 2015 00:01:53 INFO UserGroupSync [UnixUserSyncThread] - >> initializing source: >> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder >> 25 Aug 2015 00:01:53 INFO UserGroupSync [UnixUserSyncThread] - Begin: >> initial load of user/group from source==>sink >> 25 Aug 2015 00:01:53 INFO LdapUserGroupBuilder [UnixUserSyncThread] - >> LDAPUserGroupBuilder updateSink started >> 25 Aug 2015 00:01:53 INFO LdapUserGroupBuilder [UnixUserSyncThread] - >> LdapUserGroupBuilder initialization started >> 25 Aug 2015 00:01:53 ERROR UserGroupSync [UnixUserSyncThread] - Failed to >> initialize UserGroup source/sink. Will retry after 21600000 milliseconds. >> Error details: >> javax.naming.CommunicationException: simple bind failed: 127.0.0.1:636 >> [Root exception is javax.net.ssl.SSLHandshakeException: >> sun.security.validator.ValidatorException: PKIX path building failed: >> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >> valid certification path to requested target] >> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218) >> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740) >> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) >> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) >> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) >> at >> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) >> at >> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) >> at >> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) >> at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) >> at javax.naming.InitialContext.init(InitialContext.java:242) >> at >> javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153) >> at >> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:149) >> at >> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:261) >> at >> org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58) >> at java.lang.Thread.run(Thread.java:745) >> Caused by: javax.net.ssl.SSLHandshakeException: >> sun.security.validator.ValidatorException: PKIX path building failed: >> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >> valid certification path to requested target >> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904) >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279) >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273) >> at >> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446) >> at >> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209) >> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913) >> at sun.security.ssl.Handshaker.process_record(Handshaker.java:849) >> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023) >> at >> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332) >> at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:889) >> at sun.security.ssl.AppInputStream.read(AppInputStream.java:102) >> at java.io.BufferedInputStream.fill(BufferedInputStream.java:235) >> at java.io.BufferedInputStream.read1(BufferedInputStream.java:275) >> at java.io.BufferedInputStream.read(BufferedInputStream.java:334) >> at com.sun.jndi.ldap.Connection.run(Connection.java:855) >> ... 1 more >> Caused by: sun.security.validator.ValidatorException: PKIX path building >> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable >> to find valid certification path to requested target >> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) >> at >> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) >> at sun.security.validator.Validator.validate(Validator.java:260) >> at >> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) >> at >> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) >> at >> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) >> at >> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428) >> ... 12 more >> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: >> unable to find valid certification path to requested target >> at >> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) >> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) >> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) >> ... 18 more >> root@aneela-Lenovo-G50-70:/var/log/ranger/usersync# tail -f usersync.log >> at >> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) >> at >> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) >> at >> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) >> at >> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428) >> ... 12 more >> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: >> unable to find valid certification path to requested target >> at >> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) >> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) >> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) >> ... 18 more >> >> >> On Mon, Aug 24, 2015 at 10:26 PM, Alok Lal <[email protected]> wrote: >> >>> I have the following snippet from an answer that Dilli Arumugam had >>> provided to someone else in the past on a different forum for this >>> problem. You could give that a try. He has not only explained the main >>> issue but also offered a recipe to solve it. >>> >>> If the certificate of AD (used for ldaps) is issued by well known CA >>> (that is trusted by out of box JDK trust store), LDAPS with AD should work >>> seamlessly. If the certificate is self signed, you have to import the >>> LDAPS certificate into a local trust store and point JDK to use that >>> truststore. >>> >>> For example: >>> >>> cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts /usr/hdp/2 >>> .2.0.0-2036/ranger-usersync/userSyncCAcerts >>> >>> keytool -import -trustcacerts -alias openLdap -file cert.pem -keystore >>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>> (where cert.pem has the the LDAPS cert) >>> >>> Add java option >>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036 >>> /ranger-usersync/userSyncCAcerts >>> To >>> /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh >>> >>> Where it invokes java command like the following >>> >>> nohup java >>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>> . . . >>> >>> >>> >>> From: Aneela Saleem >>> Reply-To: "[email protected]" >>> Date: Monday, August 24, 2015 at 3:04 AM >>> To: "[email protected]" >>> Subject: UserSync with ldaps (LDAP over SSL) >>> >>> Hi all, >>> >>> I have changed the ldap url from ldap:/// to ldaps:/// in >>> Ranger-UserSync install.properties file but it fails to sync LDAP users. >>> And following are the logs from usersync plugin and attached is the >>> install.properties file. Can you please have a look and pin point where >>> should i write the certificate path? >>> >>> javax.naming.CommunicationException: simple bind failed: 127.0.0.1:636 >>> [Root exception is javax.net.ssl.SSLHandshakeException: >>> sun.security.validator.ValidatorException: PKIX path building failed: >>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >>> valid certification path to requested target] >>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218) >>> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740) >>> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) >>> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) >>> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) >>> at >>> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) >>> at >>> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) >>> at >>> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) >>> at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) >>> at javax.naming.InitialContext.init(InitialContext.java:242) >>> at >>> javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153) >>> at >>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:149) >>> at >>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:261) >>> at >>> org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58) >>> at java.lang.Thread.run(Thread.java:745) >>> Caused by: javax.net.ssl.SSLHandshakeException: >>> sun.security.validator.ValidatorException: PKIX path building failed: >>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >>> valid certification path to requested target >>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904) >>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279) >>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273) >>> at >>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446) >>> at >>> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209) >>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913) >>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:849) >>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023) >>> at >>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332) >>> at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:889) >>> at sun.security.ssl.AppInputStream.read(AppInputStream.java:102) >>> at java.io.BufferedInputStream.fill(BufferedInputStream.java:235) >>> at java.io.BufferedInputStream.read1(BufferedInputStream.java:275) >>> at java.io.BufferedInputStream.read(BufferedInputStream.java:334) >>> at com.sun.jndi.ldap.Connection.run(Connection.java:855) >>> ... 1 more >>> Caused by: sun.security.validator.ValidatorException: PKIX path building >>> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable >>> to find valid certification path to requested target >>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) >>> at >>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) >>> at sun.security.validator.Validator.validate(Validator.java:260) >>> at >>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) >>> at >>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) >>> at >>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) >>> at >>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428) >>> ... 12 more >>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: >>> unable to find valid certification path to requested target >>> at >>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) >>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) >>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) >>> ... 18 more >>> root@aneela-Lenovo-G50-70:/var/log/ranger/usersync# tail -f usersync.log >>> at >>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) >>> at >>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) >>> at >>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) >>> at >>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428) >>> ... 12 more >>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: >>> unable to find valid certification path to requested target >>> at >>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) >>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) >>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) >>> ... 18 more >>> >>> >> >
