Is there any issue with JAVA keystore? On Fri, Oct 2, 2015 at 9:59 AM, Aneela Saleem <ane...@platalytics.com> wrote:
> Yes following command works fine > > ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldaps:// > platalytics.com:636 -b "dc=platalytics,dc=com" -s sub 'cn=aneela' > > On Thu, Oct 1, 2015 at 7:35 PM, Don Bosco Durai <bo...@apache.org> wrote: > >> It is surprising that it will just stop working. Are you able to do >> ldapsearch from command line? Just to make sure there is nothing wrong on >> the OpenLDAP side? >> >> Thanks >> >> Bosco >> >> >> From: Aneela Saleem <ane...@platalytics.com> >> Reply-To: <user@ranger.incubator.apache.org> >> Date: Thursday, October 1, 2015 at 11:55 PM >> >> To: <user@ranger.incubator.apache.org> >> Subject: Re: Issues with usersync (LDAPS certificate not validated) >> >> I also checked it on another machine. Same issue is there >> >> On Thu, Oct 1, 2015 at 10:03 PM, Aneela Saleem <ane...@platalytics.com> >> wrote: >> >>> I guess no JDK changes. And i re-checked certificate infact generated a >>> new one. Still same issue. >>> >>> On Thu, Oct 1, 2015 at 6:16 PM, Dilli Dorai <dilli.do...@gmail.com> >>> wrote: >>> >>>> Aneela, >>>> Please check whether the certificate has expired. >>>> Dilli >>>> >>>> On Wed, Sep 30, 2015 at 4:28 PM, Don Bosco Durai <bo...@apache.org> >>>> wrote: >>>> >>>>> Any other changes you can think of? JDK changes, etcs? >>>>> >>>>> Thanks >>>>> >>>>> Bosco >>>>> >>>>> >>>>> From: Aneela Saleem <ane...@platalytics.com> >>>>> Reply-To: <user@ranger.incubator.apache.org> >>>>> Date: Wednesday, September 30, 2015 at 9:37 PM >>>>> To: <user@ranger.incubator.apache.org> >>>>> Subject: Re: Issues with usersync (LDAPS certificate not validated) >>>>> >>>>> It was working fine one month ago. But now the same issue is occurred. >>>>> >>>>> On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleem <ane...@platalytics.com >>>>> > wrote: >>>>> >>>>>> Hi all, >>>>>> >>>>>> I followed all the following steps i.e., >>>>>> >>>>>> cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts >>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>>>> >>>>>> keytool -import -trustcacerts -alias openLdap -file cert.pem >>>>>> -keystore /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>>>> (where cert.pem has the the LDAPS cert) >>>>>> >>>>>> Add java option >>>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036 >>>>>> /ranger-usersync/userSyncCAcerts >>>>>> To >>>>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh >>>>>> >>>>>> Where it invokes java command like the following >>>>>> >>>>>> nohup java >>>>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>>>> . . . >>>>>> >>>>>> >>>>>> But i'm unable to sync LDAP contacts in Ranger due to certificates >>>>>> validation issues. Following are the logs >>>>>> >>>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - >>>>>> Starting User Sync Service! >>>>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - >>>>>> Enabling Unix Auth Service! >>>>>> 30 Sep 2015 14:48:56 INFO UserGroupSync [UnixUserSyncThread] - >>>>>> initializing sink: >>>>>> org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder >>>>>> 30 Sep 2015 14:48:57 WARN NativeCodeLoader [main] - Unable to load >>>>>> native-hadoop library for your platform... using builtin-java classes >>>>>> where >>>>>> applicable >>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - >>>>>> Enabling Protocol: [SSLv2Hello] >>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - >>>>>> Enabling Protocol: [TLSv1] >>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - >>>>>> Enabling Protocol: [TLSv1.1] >>>>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - >>>>>> Enabling Protocol: [TLSv1.2] >>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] >>>>>> - LdapUserGroupBuilder created >>>>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - >>>>>> initializing source: >>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder >>>>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - >>>>>> Begin: initial load of user/group from source==>sink >>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] >>>>>> - LDAPUserGroupBuilder updateSink started >>>>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] >>>>>> - LdapUserGroupBuilder initialization started >>>>>> 30 Sep 2015 14:48:58 ERROR UserGroupSync [UnixUserSyncThread] - >>>>>> Failed to initialize UserGroup source/sink. Will retry after 21600000 >>>>>> milliseconds. Error details: >>>>>> javax.naming.CommunicationException: simple bind failed: >>>>>> platalytics.com:636 [Root exception is >>>>>> javax.net.ssl.SSLHandshakeException: >>>>>> sun.security.validator.ValidatorException: PKIX path building failed: >>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to >>>>>> find >>>>>> valid certification path to requested target] >>>>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218) >>>>>> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740) >>>>>> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) >>>>>> at >>>>>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) >>>>>> at >>>>>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) >>>>>> at >>>>>> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) >>>>>> at >>>>>> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) >>>>>> at >>>>>> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) >>>>>> at >>>>>> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) >>>>>> at javax.naming.InitialContext.init(InitialContext.java:242) >>>>>> at >>>>>> javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153) >>>>>> at >>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:149) >>>>>> at >>>>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:261) >>>>>> at >>>>>> org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58) >>>>>> at java.lang.Thread.run(Thread.java:745) >>>>>> Caused by: javax.net.ssl.SSLHandshakeException: >>>>>> sun.security.validator.ValidatorException: PKIX path building failed: >>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to >>>>>> find >>>>>> valid certification path to requested target >>>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >>>>>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904) >>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279) >>>>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273) >>>>>> at >>>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446) >>>>>> at >>>>>> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209) >>>>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913) >>>>>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:849) >>>>>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023) >>>>>> at >>>>>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332) >>>>>> at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709) >>>>>> at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122) >>>>>> at >>>>>> java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) >>>>>> at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) >>>>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431) >>>>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404) >>>>>> at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358) >>>>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213) >>>>>> ... 14 more >>>>>> Caused by: sun.security.validator.ValidatorException: PKIX path >>>>>> building failed: >>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to >>>>>> find >>>>>> valid certification path to requested target >>>>>> at >>>>>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) >>>>>> at >>>>>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) >>>>>> at sun.security.validator.Validator.validate(Validator.java:260) >>>>>> at >>>>>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) >>>>>> at >>>>>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) >>>>>> at >>>>>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) >>>>>> at >>>>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428) >>>>>> ... 27 more >>>>>> Caused by: >>>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to >>>>>> find >>>>>> valid certification path to requested target >>>>>> at >>>>>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) >>>>>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) >>>>>> at >>>>>> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) >>>>>> ... 33 more >>>>>> >>>>>> And following is the output of nohup command: >>>>>> >>>>>> Host key verification failed. >>>>>> >>>>>> Can someone please help me figure out the issue? >>>>>> >>>>> >>>>> >>>> >>> >> >