We are trying to setup security in server agent communication using instructions provided in this
https://community.hortonworks.com/articles/107092/configure-2-way-ssl-between-ambari-server-and-amba.html Here are the things I've done: 1. Obtained Certificates from CA for both server and agent machines. 2. Placed them in corresponding directories in both server and agent. 3. When we try to manually verify authentication using following command, two way ssl seems to be working (*openssl s_client -cert agent-hostname.crt -key **agent-hostname**.key -CAfile /var/lib/ambari-agent/keys/ca.crt -connect server-hostname:8441 -msg) Detailed logs below* 4. But ambari agent throws following error INFO 2017-11-13 14:36:43,411 NetUtil.py:70 - Connecting to https://server-hostname:8440/connection_info INFO 2017-11-13 14:36:43,426 security.py:55 - Server require two-way SSL authentication. Use it instead of one-way... INFO 2017-11-13 14:36:43,426 security.py:183 - Server certicate exists, ok INFO 2017-11-13 14:36:43,426 security.py:191 - Agent key exists, ok INFO 2017-11-13 14:36:43,427 security.py:199 - Agent certificate exists, ok INFO 2017-11-13 14:36:43,427 security.py:94 - SSL Connect being called.. connecting to the server ERROR 2017-11-13 14:36:43,432 security.py:81 - Two-way SSL authentication failed. Ensure that server and agent certificates were signed by the same CA and restart the agent. In order to receive a new agent certificate, remove existing certificate file from keys directory. As a workaround you can turn off two-way SSL authentication in server configuration(ambari.properties) Exiting.. ERROR 2017-11-13 14:36:43,432 Controller.py:226 - Unable to connect to: https://server-hostname:8441/agent/v1/register/agent-hostname Traceback (most recent call last): File "/usr/lib/python2.6/site-packages/ambari_agent/Controller.py", line 175, in registerWithServer ret = self.sendRequest(self.registerUrl, data) File "/usr/lib/python2.6/site-packages/ambari_agent/Controller.py", line 549, in sendRequest raise IOError('Request to {0} failed due to {1}'.format(url, str (exception))) IOError: Request to https://server-hostname:8441/agent/v1/register/agent-hostname failed due to [Errno 8] _ssl.c:492: EOF occurred in violation of protocol ERROR 2017-11-13 14:36:43,433 Controller.py:227 - Error:Request to https://server-hostname:8441/agent/v1/register/agent-hostname failed due to [Errno 8] _ssl.c:492: EOF occurred in violation of protocol WARNING 2017-11-13 14:36:43,433 Controller.py:228 - Sleeping for 11 seconds and then trying again *Can someone help ?* -bash-4.1$ *openssl s_client -cert agent-hostname.crt -key **agent-hostname**.key -CAfile /var/lib/ambari-agent/keys/ca.crt -connect server-hostname:8441 -msg * CONNECTED(00000003) >>> TLS 1.2 Handshake [length 00f2], ClientHello ... <<< TLS 1.2 Handshake [length 0051], ServerHello ... <<< TLS 1.2 Handshake [length 0524], Certificate ... verify return:1 <<< TLS 1.2 Handshake [length 0191], ServerKeyExchange ... <<< TLS 1.2 Handshake [length 00d2], CertificateRequest ... <<< TLS 1.2 Handshake [length 0004], ServerHelloDone 0e 00 00 00 >>> TLS 1.2 Handshake [length 0fe2], Certificate ... >>> TLS 1.2 Handshake [length 008a], ClientKeyExchange ... >>> TLS 1.2 Handshake [length 0108], CertificateVerify ... >>> TLS 1.2 ChangeCipherSpec [length 0001] 01 >>> TLS 1.2 Handshake [length 0010], Finished --- Certificate chain --- Server certificate -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- ... --- Acceptable client certificate CA names --- SSL handshake has read 2017 bytes and written 4534 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 5A09AF66C19A54A200221F9EFACC20642DBDCCE50099EE6836FDA0B4ECE33EF6 Session-ID-ctx: Master-Key: F4BD9CEA03E292AC4DC696B46E3CD1348BD954C300FAE6A07697507937B422187B51FB0814B20CFBCAFD21A65B30BEBC Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1510584166 Timeout : 300 (sec) * Verify return code: 0 (ok) * --- -bash-4.1$ -- *Sandeep Kumar,* Mobile +91-9866507368 *“Happiness is not a destination, It is the journey”*
