PXF: javax.net.ssl.SSLHandshakeException: PKIX path building failed
Article ID: 296470
Updated On:
Products
VMware Tanzu Greenplum
Issue/Introduction
When configuring PXF, you get the following error:
ERROR: remote component error (500) from '127.0.0.1:5888': type Exception report message javax.servlet.ServletException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target description The server encountered an internal error that prevented it from fulfilling this request. exception javax.servlet.ServletException: javax.servlet.ServletException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (libchurl.c:946) (seg0 slice1 xxx.xxx.xxx.xxx:40000 pid=6904) (cdbdisp.c:254) DETAIL: External table test_kevin, file pxf://user/kevin4/test.txt?PROFILE=hdfs:text
Make sure JAVA_HOME is set in your environment.
Environment
Product Version: 5.21
Resolution
If you are using HFDS with SSL enabled you will have the following properties enabled:
Taking a look at the
1.) Make sure the
2.) Once the file is generated, copy over the
Test again to see if the error is gone.
Relevant Articles:
https://docs.cloudera.com/documentation/enterprise/latest/topics/cm_sg_create_key_trust.html
https://docs.cloudera.com/documentation/enterprise/latest/topics/cm_sg_openssl_jks.html
core-site.xml:
<value>org.apache.hadoop.security.ssl.FileBasedKeyStoresFactory</value>
<final>true</final>
</property>
<property>
<name>hadoop.ssl.server.conf</name>
<value>ssl-server.xml</value>
<final>true</final>
</property>
<property>
<name>hadoop.ssl.client.conf</name>
<value>ssl-client.xml</value>
<final>true</final>
</property>
<property>
hdfs-site.xml:
<property>
<name>dfs.http.policy</name>
<value>HTTPS_ONLY</value>
</property>
Taking a look at the
ssl-client.xml file will show where the required JKS file is located:
<property>
<name>ssl.client.truststore.location</name>
<value>/opt/cloudera/security/pki/jks/jssecacerts-java-1.8.jks</value>
</property>
In order to address the error, we will need to1.) Make sure the
jsscacerts-java-1.8.jks files exists. If not then we need to generate one.2.) Once the file is generated, copy over the
ssl-client.xml file from Hadoop to $PXF_CONF/conf pxf cluster sync
pxf cluster stop
pxf cluster startTest again to see if the error is gone.
Relevant Articles:
https://docs.cloudera.com/documentation/enterprise/latest/topics/cm_sg_create_key_trust.html
https://docs.cloudera.com/documentation/enterprise/latest/topics/cm_sg_openssl_jks.html
Feedback
Yes
No
Powered by
