[
https://issues.apache.org/jira/browse/HADOOP-15473?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16477789#comment-16477789
]
Philip Zeyliger commented on HADOOP-15473:
------------------------------------------
In dealing with the fallout of this in Impala, I was able to edit the KMS
"init" script to add the relevant {{-D}} option. The change is at
[https://gerrit.cloudera.org/#/c/10418/1/testdata/cluster/node_templates/cdh6/etc/init.d/kms]
if you're interested.
Do we need to actually expose this to our (Hadoop's) users? i.e., the only
possible use of this API within a KMS process is
{{org.apache.hadoop.crypto.key.JavaKeyStoreProvider}}, so could we just set
this explicitly at start-up (either via the shell scripts or programmatically),
and avoid exposing it to the users?
(Or does a client use this API, or perhaps we have enough plugins that we need
to be more careful?)
> Configure serialFilter to avoid UnrecoverableKeyException caused by
> JDK-8189997
> -------------------------------------------------------------------------------
>
> Key: HADOOP-15473
> URL: https://issues.apache.org/jira/browse/HADOOP-15473
> Project: Hadoop Common
> Issue Type: Bug
> Components: kms
> Affects Versions: 2.7.6, 3.0.2
> Environment: JDK 8u171
> Reporter: Gabor Bota
> Assignee: Gabor Bota
> Priority: Critical
> Attachments: HDFS-13494.001.patch, HDFS-13494.002.patch,
> HDFS-13494.003.patch, org.apache.hadoop.crypto.key.TestKeyProviderFactory.txt
>
>
> There is a new feature in JDK 8u171 called Enhanced KeyStore Mechanisms
> (http://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html#JDK-8189997).
> This is the cause of the following errors in the TestKeyProviderFactory:
> {noformat}
> Caused by: java.security.UnrecoverableKeyException: Rejected by the
> jceks.key.serialFilter or jdk.serialFilter property
> at com.sun.crypto.provider.KeyProtector.unseal(KeyProtector.java:352)
> at
> com.sun.crypto.provider.JceKeyStore.engineGetKey(JceKeyStore.java:136)
> at java.security.KeyStore.getKey(KeyStore.java:1023)
> at
> org.apache.hadoop.crypto.key.JavaKeyStoreProvider.getMetadata(JavaKeyStoreProvider.java:410)
> ... 28 more
> {noformat}
> This issue causes errors and failures in hbase tests right now (using hdfs)
> and could affect other products running on this new Java version.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
