[jira] [Commented] (YARN-10291) Yarn service commands doesn't work when https is enabled in RM

Tue, 26 May 2020 08:25:01 -0700 


    [ 
https://issues.apache.org/jira/browse/YARN-10291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17116823#comment-17116823
 ] 

Eric Yang commented on YARN-10291:
----------------------------------

[~BilwaST] Have you tried to install ca certificate into Java cacerts trust 
store or use -Djavax.net.ssl.trustStore= to define trust store path?  
Additional code to setup trust store shouldn't be necessary.  Most of the TLS 
verification can fallback to JVM default implementation without override.  The 
odd ends of Hadoop ssl is having odd implementation of SSL support, which does 
not have reliable accepted issuer validation.  This is one of the reason that 
Jersey client was used to make Hadoop TLS support more like Java instead of 
continuing on the forked path of ignoring certificate signer validation.

Let me know if Java carets option works.  It is good to have validation in this 
area.  Thanks

> Yarn service commands doesn't work when https is enabled in RM
> --------------------------------------------------------------
>
>                 Key: YARN-10291
>                 URL: https://issues.apache.org/jira/browse/YARN-10291
>             Project: Hadoop YARN
>          Issue Type: Bug
>            Reporter: Bilwa S T
>            Assignee: Bilwa S T
>            Priority: Major
>         Attachments: YARN-10291.001.patch
>
>
> when we submit application using command "yarn app -launch sleeper-service 
> ../share/hadoop/yarn/yarn-service-examples/sleeper/sleeper.json" , it throws 
> below exception 
> {code:java}
> com.sun.jersey.api.client.ClientHandlerException: 
> javax.net.ssl.SSLHandshakeException: 
> sun.security.validator.ValidatorException: PKIX path building failed: 
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
> valid certification path to requested target
> {code}
> We should use WebServiceClient#createClient as it takes care of setting 
> sslfactory when https is called.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to