LDAP authentication through presto, UnrecoverableKeyException: Cannot recover key

Presto
Teradata Employee

LDAP authentication through presto, UnrecoverableKeyException: Cannot recover key

Hi 

 

I am running into below exception when LDAP authentication was configured through presto

 

/root/presto-cli --debug --server https://cdh202m1.labs.teradata.com:8443 --keystore-path /etc/presto/keystore.jks --keystore-password  changeit --catalog hive --schema default --user DefaultGroupUser --password

Password:      [ LDAPPass123 ]

Exception in thread "main" java.lang.RuntimeException: java.security.UnrecoverableKeyException: Cannot recover key

at com.google.common.base.Throwables.propagate(Throwables.java:240)

at io.airlift.http.client.jetty.JettyHttpClient.<init>(JettyHttpClient.java:251)

at com.facebook.presto.cli.QueryRunner.<init>(QueryRunner.java:79)

at com.facebook.presto.cli.QueryRunner.create(QueryRunner.java:125)

at com.facebook.presto.cli.Console.run(Console.java:130)

at com.facebook.presto.cli.Presto.main(Presto.java:32)

Caused by: java.security.UnrecoverableKeyException: Cannot recover key

at sun.security.provider.KeyProtector.recover(KeyProtector.java:328)

at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:146)

at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:56)

at sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96)

at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:70)

at java.security.KeyStore.getKey(KeyStore.java:1023)

at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133)

at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)

at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)

at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1021)

at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:297)

at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:217)

at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)

at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:131)

at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:113)

at org.eclipse.jetty.client.HttpClient.doStart(HttpClient.java:232)

at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)

at io.airlift.http.client.jetty.JettyHttpClient.<init>(JettyHttpClient.java:241)

... 4 more

 

Included below is the content from coordinator config.properties file

node-scheduler.include-coordinator=true

discovery.uri=http://cdh202m1.labs.teradata.com:8090

discovery-server.enabled=true

http-server.http.port=8090

coordinator=true

query.max-memory-per-node=2.8GB

query.max-memory=16.8GB

 

http-server.authentication.type=LDAP

authentication.ldap.enabled=true

authentication.ldap.url=ldaps://ad-test.presto.testldap.com:636

authentication.ldap.server-type=active_directory

authentication.ldap.ad-domain=presto.testldap.com

http-server.https.enabled=true

http-server.https.port=8443

http-server.https.keystore.path=/etc/presto/keystore.jks

http-server.https.keystore.key=changeit

authentication.ldap.ad-domain=presto.testldap.com

authentication.ldap.base-dn=OU=Asia,DC=presto,DC=testldap,DC=com

authentication.ldap.group-dn=cn=DefaultGroup,ou=America,dc=presto,dc=testldap,dc=com

authentication.ldap.user-object-class=person

 

Any pointers pointers to fix this would be helpful

 

Thanks

 

7 REPLIES
Teradata Employee

Re: LDAP authentication through presto, UnrecoverableKeyException: Cannot recover key

Couple of things to check here:

 

  • Are you sure the —keystore-password you provide in the CLI is correct? The keytool command you sent (" keytool -genkeypair -alias presto -keyalg RSA -keystore /etc/presto/keystore.jks  [ passwd: LDAPPass123 ]") has a different password from what you are using from CLI (“—keystore-password changeit”)
  • Can you try disabling LDAP authentication and get the SSL part of the connection working. For this:
    * On server side (/etc/presto/config.properties) set: authentication.ldap.enabled=false
    * And connect using CLI:
    /root/presto-cli --debug --server https://cdh202m1.labs.teradata.com:8443 --keystore-path /etc/presto/keystore.jks --keystore-password  keystore_password
Teradata Employee

Re: LDAP authentication through presto, UnrecoverableKeyException: Cannot recover key

Hi

 

Also, check that presto user has premissions for the keystore and verify the password for a keystore file and view its contents using keytool.

 

$ keytool -list -v -k /etc/presto/presto.jks
Teradata Employee

Re: LDAP authentication through presto, UnrecoverableKeyException: Cannot recover key

  • The password LDAPPass123 is correct  

presto passwd is "LDAPPass123"

keystore passwd is "changeit"

(pl refer below snippet during the configuration)

 

CDH202m1:~/.prestoadmin/coordinator # keytool -genkeypair -alias presto -keyalg RSA -keystore /etc/presto/keystore.jks

Enter keystore password:      [ changeit ]

Re-enter new password:       [ changeit ]

What is your first and last name?

  [Unknown]:  cdh202m1.labs.teradata.com

What is the name of your organizational unit?

  [Unknown]:  

What is the name of your organization?

  [Unknown]:  

What is the name of your City or Locality?

  [Unknown]:  

What is the name of your State or Province?

  [Unknown]:  

What is the two-letter country code for this unit?

  [Unknown]:  

Is CN=cdh202m1.labs.teradata.com, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?

  [no]:  yes

 

Enter key password for <presto>               [ LDAPPass123 ]

(RETURN if same as keystore password):  

Re-enter new password:                           [ LDAPPass123 ]

 

BTW, I just tried using password "changeit" just to confirm but no luck

 

 

 

  • As suggested disabled LDAP and performed below steps
    • Can you try disabling LDAP authentication and get the SSL part of the connection working. For this:
      * On server side (/etc/presto/config.properties) set: authentication.ldap.enabled=false
      * And connect using CLI:
      /root/presto-cli --debug --server https://cdh202m1.labs.teradata.com:8443 --keystore-path /etc/presto/keystore.jks --keystore-password  keystore_password

Exception in thread "main" java.lang.RuntimeException: java.security.UnrecoverableKeyException: Cannot recover key

at com.google.common.base.Throwables.propagate(Throwables.java:240)

at io.airlift.http.client.jetty.JettyHttpClient.<init>(JettyHttpClient.java:251)

at com.facebook.presto.cli.QueryRunner.<init>(QueryRunner.java:79)

at com.facebook.presto.cli.QueryRunner.create(QueryRunner.java:125)

at com.facebook.presto.cli.Console.run(Console.java:130)

at com.facebook.presto.cli.Presto.main(Presto.java:32)

Caused by: java.security.UnrecoverableKeyException: Cannot recover key

at sun.security.provider.KeyProtector.recover(KeyProtector.java:328)

at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:146)

at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:56)

at sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96)

at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:70)

at java.security.KeyStore.getKey(KeyStore.java:1023)

at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133)

at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)

at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)

at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1021)

at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:297)

at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:217)

at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)

at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:131)

at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:113)

at org.eclipse.jetty.client.HttpClient.doStart(HttpClient.java:232)

at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)

at io.airlift.http.client.jetty.JettyHttpClient.<init>(JettyHttpClient.java:241)

... 4 more

 

Teradata Employee

Re: LDAP authentication through presto, UnrecoverableKeyException: Cannot recover key

 

 

Also, check that presto user has premissions for the keystore and verify the password for a keystore file and view its contents using keytool. 

$ keytool -list -v -k /etc/presto/presto.jks

 

presto has permissions for the keystore file (snippet below)

ls -l /etc/presto/

total 24

-rw------- 1 presto presto  223 Mar 27 14:52 config.properties

-rw-r--r-- 1 presto presto   36 Mar 27 14:49 env.sh

-rw------- 1 presto presto  253 Mar 27 14:52 jvm.config

-rw-r--r-- 1 presto presto 2282 Mar 27 21:15 keystore.jks

-rw------- 1 presto presto  281 Mar 27 14:52 node.properties

 

Does the file name needs to be presto.jks, on my system it was created as keystore.jks

 

keytool -list -v -keystore /etc/presto/keystore.jks 

Enter keystore password:  

keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect

java.io.IOException: Keystore was tampered with, or password was incorrect

at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)

at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)

at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)

at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)

at java.security.KeyStore.load(KeyStore.java:1445)

at sun.security.tools.keytool.Main.doCommands(Main.java:892)

at sun.security.tools.keytool.Main.run(Main.java:343)

at sun.security.tools.keytool.Main.main(Main.java:336)

Caused by: java.security.UnrecoverableKeyException: Password verification failed

at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)

... 7 more

 

Not able to list and view keystore contents using keytool...as the password appears to be in-correct

 

 

keystore file was generated using below step

 

keytool -genkeypair -alias presto -keyalg RSA -keystore /etc/presto/keystore.jks

Enter keystore password:    changeit

Re-enter new password:     changeit

 

What is your first and last name?

  [Unknown]:  cdh202m1.labs.teradata.com

What is the name of your organizational unit?

  [Unknown]:

What is the name of your organization?

  [Unknown]:

What is the name of your City or Locality?

  [Unknown]:

What is the name of your State or Province?

  [Unknown]:

What is the two-letter country code for this unit?

  [Unknown]:

Is CN=cdh040m1.labs.teradata.com, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?

  [no]:  yes

 

Enter key password for <presto>                       LDAPPass123

        (RETURN if same as keystore password):  LDAPPass123

Re-enter new password:

 

Teradata Employee

Re: LDAP authentication through presto, UnrecoverableKeyException: Cannot recover key

I just tried the steps that you have listed and I was able to use keytool --list command succesffully. I think we need to find why this keystore is not accepting the password to display the information. 

The filename can be keystore.jks, the issue seems not related to Presto at all but with your keystore setup.

Teradata Employee

Re: LDAP authentication through presto, UnrecoverableKeyException: Cannot recover key

Hi Akshat,
 
I did not see any error during keystore setup, Included below are the steps performed on presto system:   (can you scan through and see if something is nnot correct...) I can send the stdout if required in email...
 
 

1. Update /root/.prestoadmin/coordinator/config.properties (to use LDAP authentication)

2. Update /etc/hosts

10.25.171.180   ad-test.presto.testldap.com

3. Create /root/ldap_server.crt (with ssh key from below github)

https://github.com/Teradata/docker-images/blob/master/teradatalabs/centos6-java8-oracle-ldap/files/a...

4. keytool -import -v -trustcacerts -alias ldap_server3 -file ~/ldap_server.crt -keystore presto_truststore.jks -keypass changeit    [ passwd: changeit ]

 

5. keytool -import -keystore /opt/teradata/jvm64/jdk8/jre/lib/security/cacerts -trustcacerts -alias ldap_server2 -file ~/ldap_server.crt  [ passwd: changeit ]  

 

6. keytool -genkeypair -alias presto -keyalg RSA -keystore /etc/presto/keystore.jks  [ passwd: LDAPPass123 ]

 

7. /opt/prestoadmin/presto-admin server restart

8. /opt/prestoadmin/presto-admin server status

 

9. Try to access presto catalog through LDAP

 

   /root/presto-cli --debug --server https://cdh202m1.labs.teradata.com:8443 --keystore-path /etc/presto/keystore.jks --keystore-password  changeit --catalog hive --schema default --user DefaultGroupUser —password

 

Password:   [ LDAPPass123 ]

 

Teradata Employee

Re: LDAP authentication through presto, UnrecoverableKeyException: Cannot recover key

 

To close the loop here, the error was due to the fact that the keystore file keystore.jks being used was corrupted. The issue was fixed by creating a new keystore /etc/presto/presto_keystore.jks using the command:

keytool -genkeypair -alias prestokey -keyalg RSA -validity 7 -keystore presto_keystore.jks -keypass keystorepass -storepass keystorepass -dname "CN=cdh202m1.labs.teradata.com, OU=, O=, L=, S=, C="

 

 

-Anu