hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Nauroth (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-9977) Hadoop services won't start with different keypass and keystorepass when https is enabled
Date Thu, 19 Sep 2013 21:31:53 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-9977?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13772344#comment-13772344
] 

Chris Nauroth commented on HADOOP-9977:
---------------------------------------

The root cause is that {{FileBasedKeyStoresFactory}} does not honor the value of {{ssl.server.keystore.keypassword}}
configured in ssl-server.xml.  Instead, it uses the value of {{ssl.server.keystore.password}}
as both the keystore password and key retrieval password.  I have a patch in progress to fix
this.

My plan is to continue using the value of {{ssl.server.keystore.password}} as the default
if {{ssl.server.keystore.keypassword}} is not configured.  This is for backwards-compatibility
in case any existing deployments had been omitting keypassword and relying on the old behavior.
                
> Hadoop services won't start with different keypass and keystorepass when https is enabled
> -----------------------------------------------------------------------------------------
>
>                 Key: HADOOP-9977
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9977
>             Project: Hadoop Common
>          Issue Type: Bug
>    Affects Versions: 2.1.0-beta
>            Reporter: Yesha Vora
>            Assignee: Chris Nauroth
>
> Enable ssl in the configuration. While creating keystore, give different keypass and
keystore password. (here, keypass = hadoop and storepass=hadoopKey)
> keytool -genkey -alias host1 -keyalg RSA -keysize 1024 -dname "CN=host1,OU=cm,O=cm,L=san
jose,ST=ca,C=us" -keypass hadoop -keystore keystore.jks -storepass hadoopKey
> In , ssl-server.xml set below two properties.
> <property><name>ssl.server.keystore.keypassword</name><value>hadoop</value></property>
> <property><name>ssl.server.keystore.password</name><value>hadoopKey</value></property>
> Namenode, ResourceManager, Datanode, Nodemanager, SecondaryNamenode fails to start with
below error.
> 2013-09-17 21:39:00,794 FATAL namenode.NameNode (NameNode.java:main(1325)) - Exception
in namenode join
> java.io.IOException: java.security.UnrecoverableKeyException: Cannot recover key
>         at org.apache.hadoop.http.HttpServer.<init>(HttpServer.java:222)
>         at org.apache.hadoop.http.HttpServer.<init>(HttpServer.java:174)
>         at org.apache.hadoop.hdfs.server.namenode.NameNodeHttpServer$1.<init>(NameNodeHttpServer.java:76)
>         at org.apache.hadoop.hdfs.server.namenode.NameNodeHttpServer.start(NameNodeHttpServer.java:74)
>         at org.apache.hadoop.hdfs.server.namenode.NameNode.startHttpServer(NameNode.java:626)
>         at org.apache.hadoop.hdfs.server.namenode.NameNode.initialize(NameNode.java:488)
>         at org.apache.hadoop.hdfs.server.namenode.NameNode.<init>(NameNode.java:684)
>         at org.apache.hadoop.hdfs.server.namenode.NameNode.<init>(NameNode.java:669)
>         at org.apache.hadoop.hdfs.server.namenode.NameNode.createNameNode(NameNode.java:1254)
>         at org.apache.hadoop.hdfs.server.namenode.NameNode.main(NameNode.java:1320)
> Caused by: java.security.UnrecoverableKeyException: Cannot recover key
>         at sun.security.provider.KeyProtector.recover(KeyProtector.java:328)
>         at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:138)
>         at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:55)
>         at java.security.KeyStore.getKey(KeyStore.java:792)
>         at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:131)
>         at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:68)
>         at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:259)
>         at org.apache.hadoop.security.ssl.FileBasedKeyStoresFactory.init(FileBasedKeyStoresFactory.java:170)
>         at org.apache.hadoop.security.ssl.SSLFactory.init(SSLFactory.java:121)
>         at org.apache.hadoop.http.HttpServer.<init>(HttpServer.java:220)
>         ... 9 more

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message