accumulo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From pundu tech <pundut...@gmail.com>
Subject Re: Failed to find an available server in the list of servers
Date Thu, 16 Jul 2015 03:05:00 GMT
Josh,
I had miss this email from you before.

So I have done as you suggested.  Let me summarize what I have done.

1- Followed
https://blogs.apache.org/accumulo/entry/generating_keystores_for_configuring_accumulo
I have a master (master)node and 4 slaves (slave1, slave2, slave3, slave4)
I have created certificates for the 5 nodes and I have also created
certificate for a client which is sitting in slave1.
2-Since I am running the shell from slave1 I have created a client.conf
file which I pass to the shell via the --config-file parameter.

INSTANCE_NAME=comet

INSTANCE_RPC_SSL_ENABLED=true

INSTANCE_RPC_SSL_CLIENT_AUTH=true

INSTANCE_ZK_HOST=slave1,slave2,slave3,slave4

#the trustore is the same along all the nodes since it stores the pub key
of the CA

RPC_SSL_TRUSTSTORE_PATH=/home/hadoop/accumulo-1.7.0/conf/clientSSL/truststore.jks

RPC_SSL_TRUSTSTORE_TYPE=JKS

RPC_SSL_TRUSTSTORE_PASSWORD=accumuloAuth

RPC_SSL_KEYSTORE_PATH=/home/hadoop/accumulo-1.7.0/conf/clientSSL/client.jks

RPC_SSL_KEYSTORE_TYPE=JKS

RPC_SSL_KEYSTORE_PASSWORD=mypass

3-I run the shell with --debug and this is what I get:

2015-07-15 22:53:06,380 [impl.ThriftTransportPool] DEBUG: Failed to connect
to ssl:slave1:9997 (120000)

org.apache.thrift.transport.TTransportException: Error creating the
transport

at
org.apache.accumulo.core.rpc.ThriftUtil.createSSLContext(ThriftUtil.java:371)

at
org.apache.accumulo.core.rpc.ThriftUtil.createClientTransport(ThriftUtil.java:248)

at
org.apache.accumulo.core.client.impl.ThriftTransportPool.createNewTransport(ThriftTransportPool.java:478)

at
org.apache.accumulo.core.client.impl.ThriftTransportPool.getAnyTransport(ThriftTransportPool.java:466)

at
org.apache.accumulo.core.client.impl.ServerClient.getConnection(ServerClient.java:141)

at
org.apache.accumulo.core.client.impl.ServerClient.getConnection(ServerClient.java:117)

at
org.apache.accumulo.core.client.impl.ServerClient.getConnection(ServerClient.java:113)

at
org.apache.accumulo.core.client.impl.ServerClient.executeRaw(ServerClient.java:95)

at
org.apache.accumulo.core.client.impl.ServerClient.execute(ServerClient.java:61)

at
org.apache.accumulo.core.client.impl.ConnectorImpl.<init>(ConnectorImpl.java:67)

at
org.apache.accumulo.core.client.ZooKeeperInstance.getConnector(ZooKeeperInstance.java:248)

at org.apache.accumulo.shell.Shell.config(Shell.java:362)

at org.apache.accumulo.shell.Shell.execute(Shell.java:571)

at org.apache.accumulo.start.Main$1.run(Main.java:93)

at java.lang.Thread.run(Thread.java:745)

Caused by: java.io.IOException: Keystore was tampered with, or password was
incorrect

at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:772)

at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)

at java.security.KeyStore.load(KeyStore.java:1214)

at
org.apache.accumulo.core.rpc.ThriftUtil.createSSLContext(ThriftUtil.java:348)

... 14 more

Caused by: java.security.UnrecoverableKeyException: Password verification
failed

 at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:770)

This error repeats for every slave.
I have tested the password for every keystore and truststore file in the
cluster and it is correct--it is the same everywhere.  I am very positive
about this at this point.  Do you have any suggestion on what else could be
wrong?

I appreciate your help. I am stuck!

pundutech

On Tue, Jul 7, 2015 at 2:56 PM, Josh Elser <josh.elser@gmail.com> wrote:

> Pundu,
>
> The password to use would be the "root" user's password that you set when
> calling `accumulo init`. A limitation of the SSL approach is that it only
> uses sets up a secure RPC, it isn't a "complete" security implementation
> (as you might get with Kerberos in 1.7).
>
> Sadly, the error messages for SSL are very sparse when the client fails to
> negotiate the handshake with a server. With the Accumulo shell, you can try
> passing in the --debug option to get more information.
>
> Alternatively, try turning up org.apache.accumulo.core.client to DEBUG or
> TRACE in $ACCUMULO_CONF_DIR/log4j.properties.
>
> - Josh
>
>
> pundu tech wrote:
>
>> I have a SSL enabled-accumulo setup.
>>
>> I have followed:
>>
>> https://blogs.apache.org/accumulo/entry/generating_keystores_for_configuring_accumulo
>>   to the teeth and as far as my undersatnding goes on SSL it is all
>> correct.
>>
>> I have created a $ACCUMULO_HOME/conf/client.conf with the following
>> properties
>>
>> INSTANCE_NAME=accumulo
>>
>> INSTANCE_RPC_SSL_ENABLED=true
>>
>> NSTANCE_RPC_SSL_CLIENT_AUTH=true
>>
>> INSTANCE_ZK_HOST=host1
>>
>> RPC_SSL_TRUSTSTORE_PATH=/home/hadoop/truststore.jks
>>
>> RPC_SSL_TRUSTSTORE_TYPE=JKS
>>
>> RPC_SSL_TRUSTSTORE_PASSWORD=mypass
>>
>> RPC_SSL_KEYSTORE_PATH=/home/hadoop/server.jks
>>
>> RPC_SSL_KEYSTORE_TYPE=JKS
>>
>> RPC_SSL_KEYSTORE_PASSWORD=mypass
>>
>>
>> but when I try to connect via shell I am prompted for a password. Which
>> password is this? It does not seem to be the tracer password (which user
>> is "root").
>>
>> ./accumulo shell -u root
>>
>> /usr/local/zookeeper-3.4.6
>>
>> /usr/local/jdk1.7.0_79
>>
>> Password:   ----> ?
>>
>>
>> Thanks
>>
>> pundu tech
>>
>>

Mime
View raw message