Any other changes you can think of? JDK changes, etcs? Thanks
Bosco From: Aneela Saleem <ane...@platalytics.com> Reply-To: <user@ranger.incubator.apache.org> Date: Wednesday, September 30, 2015 at 9:37 PM To: <user@ranger.incubator.apache.org> Subject: Re: Issues with usersync (LDAPS certificate not validated) > It was working fine one month ago. But now the same issue is occurred. > > On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleem <ane...@platalytics.com> wrote: >> Hi all, >> >> I followed all the following steps i.e., >> >> cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts >> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >> >> keytool -import -trustcacerts -alias openLdap -file cert.pem -keystore >> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >> (where cert.pem has the the LDAPS cert) >> >> Add java option >> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAce >> rts >> To >> /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh >> >> Where it invokes java command like the following >> >> nohup java >> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAce >> rts . . . >> >> >> But i'm unable to sync LDAP contacts in Ranger due to certificates validation >> issues. Following are the logs >> >> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Starting User >> Sync Service! >> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Enabling Unix >> Auth Service! >> 30 Sep 2015 14:48:56 INFO UserGroupSync [UnixUserSyncThread] - initializing >> sink: org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder >> 30 Sep 2015 14:48:57 WARN NativeCodeLoader [main] - Unable to load >> native-hadoop library for your platform... using builtin-java classes where >> applicable >> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling >> Protocol: [SSLv2Hello] >> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling >> Protocol: [TLSv1] >> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling >> Protocol: [TLSv1.1] >> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling >> Protocol: [TLSv1.2] >> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - >> LdapUserGroupBuilder created >> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - initializing >> source: org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder >> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - Begin: >> initial load of user/group from source==>sink >> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - >> LDAPUserGroupBuilder updateSink started >> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - >> LdapUserGroupBuilder initialization started >> 30 Sep 2015 14:48:58 ERROR UserGroupSync [UnixUserSyncThread] - Failed to >> initialize UserGroup source/sink. Will retry after 21600000 milliseconds. >> Error details: >> javax.naming.CommunicationException: simple bind failed: platalytics.com:636 >> <http://platalytics.com:636> [Root exception is >> javax.net.ssl.SSLHandshakeException: >> sun.security.validator.ValidatorException: PKIX path building failed: >> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >> valid certification path to requested target] >> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218) >> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740) >> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) >> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) >> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) >> at >> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) >> at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) >> at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) >> at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) >> at javax.naming.InitialContext.init(InitialContext.java:242) >> at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153) >> at >> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext >> (LdapUserGroupBuilder.java:149) >> at >> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUs >> erGroupBuilder.java:261) >> at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58) >> at java.lang.Thread.run(Thread.java:745) >> Caused by: javax.net.ssl.SSLHandshakeException: >> sun.security.validator.ValidatorException: PKIX path building failed: >> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >> valid certification path to requested target >> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904) >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279) >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273) >> at >> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:144 >> 6) >> at >> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209) >> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913) >> at sun.security.ssl.Handshaker.process_record(Handshaker.java:849) >> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023) >> at >> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:133 >> 2) >> at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709) >> at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122) >> at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) >> at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) >> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431) >> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404) >> at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358) >> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213) >> ... 14 more >> Caused by: sun.security.validator.ValidatorException: PKIX path building >> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to >> find valid certification path to requested target >> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) >> at >> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) >> at sun.security.validator.Validator.validate(Validator.java:260) >> at >> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) >> at >> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java: >> 231) >> at >> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl >> .java:126) >> at >> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:142 >> 8) >> ... 27 more >> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable >> to find valid certification path to requested target >> at >> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuil >> der.java:196) >> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) >> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) >> ... 33 more >> >> And following is the output of nohup command: >> >> Host key verification failed. >> >> Can someone please help me figure out the issue? >