Namenode fails to start with the error "jurisdiction policy files are not signed by a trusted signer"
search cancel

Namenode fails to start with the error "jurisdiction policy files are not signed by a trusted signer"

book

Article ID: 295060

calendar_today

Updated On:

Products

Services Suite

Issue/Introduction

Symptoms:

The NameNode fails to start with the error message "jurisdiction policy files are not signed by a trusted signer".

2014-03-26 13:25:42,705 FATAL org.apache.hadoop.hdfs.server.namenode.NameNode: Exception in namenode join
java.io.IOException: Login failure for hdfs/[email protected] from keytab /etc/security/phd/keytab/hdfs.service.keytab
        at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:835)
        at org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:283)
        at org.apache.hadoop.hdfs.server.namenode.NameNode.loginAsNameNodeUser(NameNode.java:423)
        at org.apache.hadoop.hdfs.server.namenode.NameNode.initialize(NameNode.java:434)
        at org.apache.hadoop.hdfs.server.namenode.NameNode.(NameNode.java:609)
        at org.apache.hadoop.hdfs.server.namenode.NameNode.(NameNode.java:594)
        at org.apache.hadoop.hdfs.server.namenode.NameNode.createNameNode(NameNode.java:1169)
        at org.apache.hadoop.hdfs.server.namenode.NameNode.main(NameNode.java:1235)
Caused by: javax.security.auth.login.LoginException: java.lang.ExceptionInInitializerError
        at javax.crypto.JceSecurityManager.(JceSecurityManager.java:65)
        at javax.crypto.Cipher.getConfiguredPermission(Cipher.java:2503)
        ..skipping..
        at javax.security.auth.login.LoginContext.login(LoginContext.java:590)
Caused by: java.lang.SecurityException: Can not initialize cryptographic mechanism
        at javax.crypto.JceSecurity.(JceSecurity.java:86)
        ... 30 more
Caused by: java.lang.SecurityException: The jurisdiction policy files are not signed by a trusted signer!
        at javax.crypto.JarVerifier.verifyPolicySigned(JarVerifier.java:289)
        at javax.crypto.JceSecurity.loadPolicies(JceSecurity.java:316)
        ..skipping..
        at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:826)
        ... 7 more
2014-03-26 13:25:42,712 INFO org.apache.hadoop.util.ExitUtil: Exiting with status 1
2014-03-26 13:25:42,720 INFO org.apache.hadoop.hdfs.server.namenode.NameNode: SHUTDOWN_MSG:

Environment


Cause

In this case, JDK 1.7.0.51 is installed on all nodes in the cluster and the JCE local policy version 6 is used for AES 256 kerberos encryption. JCE must be in sync with the JDK version.

Resolution

Download JCE jars (US_export_policy.jar & local_policy.jar) for appropriate JDK version and upload them in the directory/usr/java/default/jre/lib/security on the cluster nodes.

Powered by Wolken Software