PXF: javax.net.ssl.SSLHandshakeException: PKIX path building failed
search cancel

PXF: javax.net.ssl.SSLHandshakeException: PKIX path building failed

book

Article ID: 296470

calendar_today

Updated On:

Products

VMware Tanzu Greenplum

Issue/Introduction

When configuring PXF, you get the following error:

ERROR: remote component error (500) from '127.0.0.1:5888': type Exception report  message  javax.servlet.ServletException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target  description  The server encountered an internal error that prevented it from fulfilling this request.  exception  javax.servlet.ServletException: javax.servlet.ServletException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (libchurl.c:946) (seg0 slice1 xxx.xxx.xxx.xxx:40000 pid=6904) (cdbdisp.c:254)

DETAIL: External table test_kevin, file pxf://user/kevin4/test.txt?PROFILE=hdfs:text

Make sure JAVA_HOME is set in your environment.

 

Environment

Product Version: 5.21

Resolution

If you are using HFDS with SSL enabled you will have the following properties enabled:

core-site.xml:

<value>org.apache.hadoop.security.ssl.FileBasedKeyStoresFactory</value>
    <final>true</final>
  </property>
  <property>
    <name>hadoop.ssl.server.conf</name>
    <value>ssl-server.xml</value>
    <final>true</final>
  </property>
  <property>
    <name>hadoop.ssl.client.conf</name>
    <value>ssl-client.xml</value>
    <final>true</final>
  </property>
  <property>

hdfs-site.xml:

 <property>
    <name>dfs.http.policy</name>
    <value>HTTPS_ONLY</value>
 </property>


Taking a look at the ssl-client.xml file will show where the required JKS file is located:

 <property>
    <name>ssl.client.truststore.location</name>
    <value>/opt/cloudera/security/pki/jks/jssecacerts-java-1.8.jks</value>
  </property>

In order to address the error, we will need to
1.) Make sure the jsscacerts-java-1.8.jks files exists. If not then we need to generate one.
2.) Once the file is generated, copy over the ssl-client.xml file from Hadoop to $PXF_CONF/conf 

pxf cluster sync
pxf cluster stop
pxf cluster start

Test again to see if the error is gone.

Powered by Wolken Software