Thursday, November 9, 2017

Configure Cloudera Keberos Authentication using MTI-KDC

- Create keberos admin user who has privivleges to to add other principals
[root@cdh-vm krb5kdc]# kadmin.local  -q "addprinc cloudera-scm/admin"

-- Before proceed, verify the KDC works:

ktutil:  add_entry -password -p cloudera-scm/admin -k 1 -e aes256-cts-hmac-sha1-96
Password for cloudera-scm/admin@DBAGLOBE.COM:

[root@cdh-vm log]#  klist -e
Ticket cache: KEYRING:persistent:0:krb_ccache_r0tnzhY
Default principal: cloudera-scm/admin@DBAGLOBE.COM

Valid starting       Expires              Service principal
11/09/2017 23:09:42  11/10/2017 23:09:42  krbtgt/DBAGLOBE.COM@DBAGLOBE.COM
        Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

ScreenHunter 1793ScreenHunter 1795ScreenHunter 1798ScreenHunter 1804ScreenHunter 1802ScreenHunter 1803

Encountered errors:

2017-11-09 23:34:18,010 INFO org.apache.hadoop.ipc.Server: Socket Reader #1 for port 8022: readAndProcess from client 192.168.56.10 threw exception [javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)]]
2017-11-09 23:34:18,655 INFO org.apache.hadoop.hdfs.server.blockmanagement.CacheReplicationMonitor: Rescanning after 30002 milliseconds
2017-11-09 23:34:18,656 INFO org.apache.hadoop.hdfs.server.blockmanagement.CacheReplicationMonitor: Scanned 0 directive(s) and 0 block(s) in 0 millisecond(s).
2017-11-09 23:34:22,804 INFO org.apache.hadoop.ipc.Server: Socket Reader #1 for port 8022: readAndProcess from client 192.168.56.10 threw exception [javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not support

How to Fix:

[root@cdh-vm security]# pwd
/usr/java/jdk1.8.0_144/jre/lib/security

[root@cdh-vm security]# mkdir limited
[root@cdh-vm security]# mv *.jar limited/


[root@cdh-vm security]# unzip /home/donghua/jce_policy-8.zip -d  /home/donghua/
[root@cdh-vm security]# cp /home/donghua/UnlimitedJCEPolicyJDK8/*.jar .