Since the error is on usersync side, problem could be in accessing either usersync key store or trust store.Please verify the below.
1] usersync is using the right key store. Key password and Store password have to be the same. 2] usersync is using the right trust store. If not using the default truststore add -Djavax.net.ssl.trustStore= option in ranger-usersync-services.sh script 3] Ranger admin's cert is available in trust store used by usersync 4] Permissions are correct for keystore/truststore files From: Lune Silver <lunescar.ran...@gmail.com<mailto:lunescar.ran...@gmail.com>> Reply-To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Date: Wednesday, May 11, 2016 at 11:59 AM To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Subject: Problem setting up the SSL for Ranger usersync hello ! I enabled the ssl for ranger admin successfully, but now I have a problem to set up the SSL for usersync. I followed the following doc : https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.0/bk_Security_Guide/content/configure_ambari_ranger_ssl_self_signed_cert_usersync.html But unfortunately, I still have one problem in the usersync log : ### 11 May 2016 14:20:29 INFO UnixAuthenticationService [main] - Starting User Sync Service! 11 May 2016 14:20:29 INFO UnixAuthenticationService [main] - Enabling Unix Auth Service! 11 May 2016 14:20:30 INFO UserGroupSync [UnixUserSyncThread] - initializing sink: org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder 11 May 2016 14:20:30 ERROR UserGroupSync [UnixUserSyncThread] - Failed to initialize UserGroup source/sink. Will retry after 60000 milliseconds. Error details: java.lang.RuntimeException: Unable to create SSLConext for communication to policy manager at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.getClient(PolicyMgrUserGroupBuilder.java:729) at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.buildGroupList(PolicyMgrUserGroupBuilder.java:335) at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.buildUserGroupInfo(PolicyMgrUserGroupBuilder.java:156) at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.init(PolicyMgrUserGroupBuilder.java:152) at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:51) at java.lang.Thread.run(Thread.java:745) Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:772) at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55) at java.security.KeyStore.load(KeyStore.java:1214) at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.getClient(PolicyMgrUserGroupBuilder.java:706) ... 5 more Caused by: java.security.UnrecoverableKeyException: Password verification failed at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:770) ... 8 more ### The error is clear enough, there is a problem with a password, but which one ? I set up a password PWD1 for the keystore of ranger admin. I used the same password PWD1 for the alias rangeradmin in the keystore of range admin. I set up a different password PWD2 for the keystore of usersync. I set up a different password PWD3 for the trustore of usersync. I set up a specific password PWD4 for ranger local admin. And I set up a different password for the Ranger Admin username for Ambari Do you know which password is concerned by this error message please ? BR. Lune.
