I guess no JDK changes. And i re-checked certificate infact generated a new one. Still same issue.
On Thu, Oct 1, 2015 at 6:16 PM, Dilli Dorai <dilli.do...@gmail.com> wrote: > Aneela, > Please check whether the certificate has expired. > Dilli > > On Wed, Sep 30, 2015 at 4:28 PM, Don Bosco Durai <bo...@apache.org> wrote: > >> Any other changes you can think of? JDK changes, etcs? >> >> Thanks >> >> Bosco >> >> >> From: Aneela Saleem <ane...@platalytics.com> >> Reply-To: <user@ranger.incubator.apache.org> >> Date: Wednesday, September 30, 2015 at 9:37 PM >> To: <user@ranger.incubator.apache.org> >> Subject: Re: Issues with usersync (LDAPS certificate not validated) >> >> It was working fine one month ago. But now the same issue is occurred. >> >> On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleem <ane...@platalytics.com> >> wrote: >> >>> Hi all, >>> >>> I followed all the following steps i.e., >>> >>> cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts /usr/hdp/2 >>> .2.0.0-2036/ranger-usersync/userSyncCAcerts >>> >>> keytool -import -trustcacerts -alias openLdap -file cert.pem -keystore >>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>> (where cert.pem has the the LDAPS cert) >>> >>> Add java option >>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036 >>> /ranger-usersync/userSyncCAcerts >>> To >>> /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh >>> >>> Where it invokes java command like the following >>> >>> nohup java >>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>> . . . >>> >>> >>> But i'm unable to sync LDAP contacts in Ranger due to certificates >>> validation issues. Following are the logs >>> >>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Starting >>> User Sync Service! >>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Enabling >>> Unix Auth Service! >>> 30 Sep 2015 14:48:56 INFO UserGroupSync [UnixUserSyncThread] - >>> initializing sink: >>> org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder >>> 30 Sep 2015 14:48:57 WARN NativeCodeLoader [main] - Unable to load >>> native-hadoop library for your platform... using builtin-java classes where >>> applicable >>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling >>> Protocol: [SSLv2Hello] >>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling >>> Protocol: [TLSv1] >>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling >>> Protocol: [TLSv1.1] >>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling >>> Protocol: [TLSv1.2] >>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - >>> LdapUserGroupBuilder created >>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - >>> initializing source: >>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder >>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - Begin: >>> initial load of user/group from source==>sink >>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - >>> LDAPUserGroupBuilder updateSink started >>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - >>> LdapUserGroupBuilder initialization started >>> 30 Sep 2015 14:48:58 ERROR UserGroupSync [UnixUserSyncThread] - Failed >>> to initialize UserGroup source/sink. Will retry after 21600000 >>> milliseconds. Error details: >>> javax.naming.CommunicationException: simple bind failed: >>> platalytics.com:636 [Root exception is >>> javax.net.ssl.SSLHandshakeException: >>> sun.security.validator.ValidatorException: PKIX path building failed: >>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >>> valid certification path to requested target] >>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218) >>> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740) >>> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) >>> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) >>> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) >>> at >>> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) >>> at >>> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) >>> at >>> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) >>> at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) >>> at javax.naming.InitialContext.init(InitialContext.java:242) >>> at >>> javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153) >>> at >>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:149) >>> at >>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:261) >>> at >>> org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58) >>> at java.lang.Thread.run(Thread.java:745) >>> Caused by: javax.net.ssl.SSLHandshakeException: >>> sun.security.validator.ValidatorException: PKIX path building failed: >>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >>> valid certification path to requested target >>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904) >>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279) >>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273) >>> at >>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446) >>> at >>> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209) >>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913) >>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:849) >>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023) >>> at >>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332) >>> at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709) >>> at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122) >>> at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) >>> at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) >>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431) >>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404) >>> at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358) >>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213) >>> ... 14 more >>> Caused by: sun.security.validator.ValidatorException: PKIX path building >>> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable >>> to find valid certification path to requested target >>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) >>> at >>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) >>> at sun.security.validator.Validator.validate(Validator.java:260) >>> at >>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) >>> at >>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) >>> at >>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) >>> at >>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428) >>> ... 27 more >>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: >>> unable to find valid certification path to requested target >>> at >>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) >>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) >>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) >>> ... 33 more >>> >>> And following is the output of nohup command: >>> >>> Host key verification failed. >>> >>> Can someone please help me figure out the issue? >>> >> >> >
