ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sandy <sandy.wad...@gmail.com>
Subject Facing issues in enabling two way ssl in ambari for server-agent communication
Date Mon, 13 Nov 2017 14:54:32 GMT
We are trying to setup security in server agent communication using
instructions provided in this

https://community.hortonworks.com/articles/107092/configure-2-way-ssl-between-ambari-server-and-amba.html

Here are the things I've done:
1.  Obtained Certificates from CA for both server and agent machines.
2.  Placed them in corresponding directories in both server and agent.
3.  When we try to manually verify authentication using following command,
two way ssl seems to be working  (*openssl s_client -cert
agent-hostname.crt -key **agent-hostname**.key
-CAfile /var/lib/ambari-agent/keys/ca.crt -connect server-hostname:8441
-msg)  Detailed logs below*
4.  But ambari agent throws following error

INFO 2017-11-13 14:36:43,411 NetUtil.py:70 - Connecting to
https://server-hostname:8440/connection_info

INFO 2017-11-13 14:36:43,426 security.py:55 - Server require two-way SSL
authentication. Use it instead of one-way...

INFO 2017-11-13 14:36:43,426 security.py:183 - Server certicate exists, ok

INFO 2017-11-13 14:36:43,426 security.py:191 - Agent key exists, ok

INFO 2017-11-13 14:36:43,427 security.py:199 - Agent certificate exists, ok

INFO 2017-11-13 14:36:43,427 security.py:94 - SSL Connect being called..
connecting to the server

ERROR 2017-11-13 14:36:43,432 security.py:81 - Two-way SSL authentication
failed. Ensure that server and agent certificates were signed by the same
CA and restart the agent.

In order to receive a new agent certificate, remove existing certificate
file from keys directory. As a workaround you can turn off two-way SSL
authentication in server configuration(ambari.properties)

Exiting..

ERROR 2017-11-13 14:36:43,432 Controller.py:226 - Unable to connect to:
https://server-hostname:8441/agent/v1/register/agent-hostname

Traceback (most recent call last):

  File "/usr/lib/python2.6/site-packages/ambari_agent/Controller.py", line
175, in registerWithServer

    ret = self.sendRequest(self.registerUrl, data)

  File "/usr/lib/python2.6/site-packages/ambari_agent/Controller.py", line
549, in sendRequest

    raise IOError('Request to {0} failed due to {1}'.format(url, str
(exception)))

IOError: Request to
https://server-hostname:8441/agent/v1/register/agent-hostname failed due to
[Errno 8] _ssl.c:492: EOF occurred in violation of protocol

ERROR 2017-11-13 14:36:43,433 Controller.py:227 - Error:Request to
https://server-hostname:8441/agent/v1/register/agent-hostname failed due to
[Errno 8] _ssl.c:492: EOF occurred in violation of protocol

WARNING 2017-11-13 14:36:43,433 Controller.py:228 -  Sleeping for 11
seconds and then trying again


*Can someone help ?*

-bash-4.1$ *openssl s_client -cert agent-hostname.crt -key
**agent-hostname**.key
-CAfile /var/lib/ambari-agent/keys/ca.crt -connect server-hostname:8441
-msg *

CONNECTED(00000003)

>>> TLS 1.2 Handshake [length 00f2], ClientHello

...

<<< TLS 1.2 Handshake [length 0051], ServerHello

...

<<< TLS 1.2 Handshake [length 0524], Certificate

...

verify return:1

<<< TLS 1.2 Handshake [length 0191], ServerKeyExchange

...

<<< TLS 1.2 Handshake [length 00d2], CertificateRequest

...

<<< TLS 1.2 Handshake [length 0004], ServerHelloDone

    0e 00 00 00

>>> TLS 1.2 Handshake [length 0fe2], Certificate

...

>>> TLS 1.2 Handshake [length 008a], ClientKeyExchange

...

>>> TLS 1.2 Handshake [length 0108], CertificateVerify

...

>>> TLS 1.2 ChangeCipherSpec [length 0001]

    01

>>> TLS 1.2 Handshake [length 0010], Finished

---

Certificate chain

---

Server certificate

-----BEGIN CERTIFICATE-----

...

-----END CERTIFICATE-----

...

---

Acceptable client certificate CA names

---

SSL handshake has read 2017 bytes and written 4534 bytes

---

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : ECDHE-RSA-AES256-GCM-SHA384

    Session-ID:
5A09AF66C19A54A200221F9EFACC20642DBDCCE50099EE6836FDA0B4ECE33EF6

    Session-ID-ctx:

    Master-Key:
F4BD9CEA03E292AC4DC696B46E3CD1348BD954C300FAE6A07697507937B422187B51FB0814B20CFBCAFD21A65B30BEBC


    Key-Arg   : None

    Krb5 Principal: None

    PSK identity: None

    PSK identity hint: None

    Start Time: 1510584166

    Timeout   : 300 (sec)

*    Verify return code: 0 (ok) *

---

-bash-4.1$

-- 

*Sandeep Kumar,*
 Mobile +91-9866507368

*“Happiness is not a destination, It is the journey”*

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message