It was working fine one month ago. But now the same issue is occurred. On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleem <ane...@platalytics.com> wrote:
> Hi all, > > I followed all the following steps i.e., > > cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts /usr/hdp/2 > .2.0.0-2036/ranger-usersync/userSyncCAcerts > > keytool -import -trustcacerts -alias openLdap -file cert.pem -keystore > /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts > (where cert.pem has the the LDAPS cert) > > Add java option > -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036 > /ranger-usersync/userSyncCAcerts > To > /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh > > Where it invokes java command like the following > > nohup java > -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts > . . . > > > But i'm unable to sync LDAP contacts in Ranger due to certificates > validation issues. Following are the logs > > 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Starting > User Sync Service! > 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Enabling > Unix Auth Service! > 30 Sep 2015 14:48:56 INFO UserGroupSync [UnixUserSyncThread] - > initializing sink: > org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder > 30 Sep 2015 14:48:57 WARN NativeCodeLoader [main] - Unable to load > native-hadoop library for your platform... using builtin-java classes where > applicable > 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling > Protocol: [SSLv2Hello] > 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling > Protocol: [TLSv1] > 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling > Protocol: [TLSv1.1] > 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling > Protocol: [TLSv1.2] > 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - > LdapUserGroupBuilder created > 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - > initializing source: > org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder > 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - Begin: > initial load of user/group from source==>sink > 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - > LDAPUserGroupBuilder updateSink started > 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - > LdapUserGroupBuilder initialization started > 30 Sep 2015 14:48:58 ERROR UserGroupSync [UnixUserSyncThread] - Failed to > initialize UserGroup source/sink. Will retry after 21600000 milliseconds. > Error details: > javax.naming.CommunicationException: simple bind failed: > platalytics.com:636 [Root exception is > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target] > at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218) > at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740) > at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) > at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) > at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) > at > com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) > at > com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) > at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) > at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) > at javax.naming.InitialContext.init(InitialContext.java:242) > at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153) > at > org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:149) > at > org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:261) > at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58) > at java.lang.Thread.run(Thread.java:745) > Caused by: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273) > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446) > at > sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209) > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913) > at sun.security.ssl.Handshaker.process_record(Handshaker.java:849) > at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023) > at > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332) > at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709) > at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122) > at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) > at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) > at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431) > at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404) > at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358) > at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213) > ... 14 more > Caused by: sun.security.validator.ValidatorException: PKIX path building > failed: sun.security.provider.certpath.SunCertPathBuilderException: unable > to find valid certification path to requested target > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) > at > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) > at sun.security.validator.Validator.validate(Validator.java:260) > at > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) > at > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) > at > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428) > ... 27 more > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > at > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) > at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) > ... 33 more > > And following is the output of nohup command: > > Host key verification failed. > > Can someone please help me figure out the issue? >