I also checked it on another machine. Same issue is there On Thu, Oct 1, 2015 at 10:03 PM, Aneela Saleem <[email protected]> wrote:
> I guess no JDK changes. And i re-checked certificate infact generated a > new one. Still same issue. > > On Thu, Oct 1, 2015 at 6:16 PM, Dilli Dorai <[email protected]> wrote: > >> Aneela, >> Please check whether the certificate has expired. >> Dilli >> >> On Wed, Sep 30, 2015 at 4:28 PM, Don Bosco Durai <[email protected]> >> wrote: >> >>> Any other changes you can think of? JDK changes, etcs? >>> >>> Thanks >>> >>> Bosco >>> >>> >>> From: Aneela Saleem <[email protected]> >>> Reply-To: <[email protected]> >>> Date: Wednesday, September 30, 2015 at 9:37 PM >>> To: <[email protected]> >>> Subject: Re: Issues with usersync (LDAPS certificate not validated) >>> >>> It was working fine one month ago. But now the same issue is occurred. >>> >>> On Wed, Sep 30, 2015 at 2:55 PM, Aneela Saleem <[email protected]> >>> wrote: >>> >>>> Hi all, >>>> >>>> I followed all the following steps i.e., >>>> >>>> cp /etc/alternatives/java_sdk_1.7.0/jre/lib/security/cacerts /usr/hdp/2 >>>> .2.0.0-2036/ranger-usersync/userSyncCAcerts >>>> >>>> keytool -import -trustcacerts -alias openLdap -file cert.pem -keystore >>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>> (where cert.pem has the the LDAPS cert) >>>> >>>> Add java option >>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036 >>>> /ranger-usersync/userSyncCAcerts >>>> To >>>> /usr/hdp/2.2.0.0-2036/ranger-usersync/ranger-usersync-services.sh >>>> >>>> Where it invokes java command like the following >>>> >>>> nohup java >>>> -Djavax.net.ssl.trustStore=/usr/hdp/2.2.0.0-2036/ranger-usersync/userSyncCAcerts >>>> . . . >>>> >>>> >>>> But i'm unable to sync LDAP contacts in Ranger due to certificates >>>> validation issues. Following are the logs >>>> >>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Starting >>>> User Sync Service! >>>> 30 Sep 2015 14:48:56 INFO UnixAuthenticationService [main] - Enabling >>>> Unix Auth Service! >>>> 30 Sep 2015 14:48:56 INFO UserGroupSync [UnixUserSyncThread] - >>>> initializing sink: >>>> org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder >>>> 30 Sep 2015 14:48:57 WARN NativeCodeLoader [main] - Unable to load >>>> native-hadoop library for your platform... using builtin-java classes where >>>> applicable >>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling >>>> Protocol: [SSLv2Hello] >>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling >>>> Protocol: [TLSv1] >>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling >>>> Protocol: [TLSv1.1] >>>> 30 Sep 2015 14:48:58 INFO UnixAuthenticationService [main] - Enabling >>>> Protocol: [TLSv1.2] >>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - >>>> LdapUserGroupBuilder created >>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - >>>> initializing source: >>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder >>>> 30 Sep 2015 14:48:58 INFO UserGroupSync [UnixUserSyncThread] - Begin: >>>> initial load of user/group from source==>sink >>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - >>>> LDAPUserGroupBuilder updateSink started >>>> 30 Sep 2015 14:48:58 INFO LdapUserGroupBuilder [UnixUserSyncThread] - >>>> LdapUserGroupBuilder initialization started >>>> 30 Sep 2015 14:48:58 ERROR UserGroupSync [UnixUserSyncThread] - Failed >>>> to initialize UserGroup source/sink. Will retry after 21600000 >>>> milliseconds. Error details: >>>> javax.naming.CommunicationException: simple bind failed: >>>> platalytics.com:636 [Root exception is >>>> javax.net.ssl.SSLHandshakeException: >>>> sun.security.validator.ValidatorException: PKIX path building failed: >>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >>>> valid certification path to requested target] >>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218) >>>> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740) >>>> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) >>>> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) >>>> at >>>> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) >>>> at >>>> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) >>>> at >>>> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) >>>> at >>>> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) >>>> at >>>> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) >>>> at javax.naming.InitialContext.init(InitialContext.java:242) >>>> at >>>> javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153) >>>> at >>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.createLdapContext(LdapUserGroupBuilder.java:149) >>>> at >>>> org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder.updateSink(LdapUserGroupBuilder.java:261) >>>> at >>>> org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:58) >>>> at java.lang.Thread.run(Thread.java:745) >>>> Caused by: javax.net.ssl.SSLHandshakeException: >>>> sun.security.validator.ValidatorException: PKIX path building failed: >>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >>>> valid certification path to requested target >>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >>>> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904) >>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279) >>>> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273) >>>> at >>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446) >>>> at >>>> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209) >>>> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913) >>>> at sun.security.ssl.Handshaker.process_record(Handshaker.java:849) >>>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023) >>>> at >>>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332) >>>> at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709) >>>> at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122) >>>> at >>>> java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) >>>> at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) >>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431) >>>> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404) >>>> at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358) >>>> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213) >>>> ... 14 more >>>> Caused by: sun.security.validator.ValidatorException: PKIX path >>>> building failed: >>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >>>> valid certification path to requested target >>>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) >>>> at >>>> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) >>>> at sun.security.validator.Validator.validate(Validator.java:260) >>>> at >>>> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) >>>> at >>>> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) >>>> at >>>> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) >>>> at >>>> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428) >>>> ... 27 more >>>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: >>>> unable to find valid certification path to requested target >>>> at >>>> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) >>>> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) >>>> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) >>>> ... 33 more >>>> >>>> And following is the output of nohup command: >>>> >>>> Host key verification failed. >>>> >>>> Can someone please help me figure out the issue? >>>> >>> >>> >> >
