Connect to Hadoop with KNOX

Teradata Studio
Teradata Employee

Connect to Hadoop with KNOX

I am trying to create a connection in Studio to a Hortonworks Hadoop cluster with Knox enabled.

 

The JDBC connection string contains among others the Knox certificate parameters sslTrustStore and trustStorePassword, which I point to the local path of the certificate. This works e.g. in SQuirreL, but there's no option to set these parameters in Studio.

In order to use the Hive JDBC option when creating a connection, I need to use the Hortonworks driver, but I cannot add any parameters. Whereas the Generic JDBC driver works only with the TDCH option.

 

Am I missing something, is there any way to do this?

  • hadoop
  • jdbc
  • knox
  • studio

Accepted Solutions
Teradata Employee

Re: Connect to Hadoop with KNOX

Make sure that you are importing into the correct Java cacerts file. Some people have both a jdk and jre installed on their system.

For Example on my system I Have both a jdk1.8.0_121 and jre1.8.0_121. The cacerts file you are importing to should be for the JRE that your Studio application is running on (set at install time).

 

Also I have not heard about importing the .jks file directly into jre cacerts,what I have seen is the .jks file is exported first to a .crt file.

 

The instructions given to do this export, is to run the following command from the knox server:

keytool -export -alias gateway-identity -rfc -file knox.crt -keystore <path to gateway.jks keystore (eg. /usr/lib/knox/data/security/keystore/gateway.jks)>

then to import the knox.crt file you would run

keytool.exe -importcert -alias "TDH240 knox self signed cert” -file knox.crt -keystore "C:\Program Files\Java\jdk1.8.0_121\jre\lib\security\cacerts

where the path should be to the correct cacerts file.

1 ACCEPTED SOLUTION
5 REPLIES
Teradata Employee

Re: Connect to Hadoop with KNOX

What Error Do you See when you 'Test Connection' from the Knox Connection Properties page?

 

Is it "SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"?

 

If so, you need to import the knox certificate into your Java keystore.

 

Currently we do not have support for adding sslTrustStore and trustStorePassword  JDBCproperties but those parameters are not required if you do the step above.

Teradata Employee

Re: Connect to Hadoop with KNOX

Thanks for the reply.

 

Yes, that is the error I am getting.

I already imported the certificate into cacerts, but I still get the error.

Just to describe the process:

The Knox certificate I have is already a *.jks file, so I imported it with the command:

keytool -importkeystore -srckeystore knox_certs.jks -destkeystore cacerts

 

If this is wrong, could you tell me how to do it properly?

Teradata Employee

Re: Connect to Hadoop with KNOX

Make sure that you are importing into the correct Java cacerts file. Some people have both a jdk and jre installed on their system.

For Example on my system I Have both a jdk1.8.0_121 and jre1.8.0_121. The cacerts file you are importing to should be for the JRE that your Studio application is running on (set at install time).

 

Also I have not heard about importing the .jks file directly into jre cacerts,what I have seen is the .jks file is exported first to a .crt file.

 

The instructions given to do this export, is to run the following command from the knox server:

keytool -export -alias gateway-identity -rfc -file knox.crt -keystore <path to gateway.jks keystore (eg. /usr/lib/knox/data/security/keystore/gateway.jks)>

then to import the knox.crt file you would run

keytool.exe -importcert -alias "TDH240 knox self signed cert” -file knox.crt -keystore "C:\Program Files\Java\jdk1.8.0_121\jre\lib\security\cacerts

where the path should be to the correct cacerts file.

Teradata Employee

Re: Connect to Hadoop with KNOX

That was quick, thanks again!

 

I was actually just going to write again, I already found before checking here that TD Studio was using another JRE, although it was different from the one I set when I installed it. This is why I only checked the supposedly correct version.

Anyway, now the ping succeeds, but I am getting another error when I try to open the connection:

Could not connect to Hadoop.
Error creating SQL Model Connection connection to Hadoop. (Error: Response code : -1. Unable to connect to WebHCat server: https://sample.server:8442/gateway/hadoopdev/templeton/v1/ddl/databasejava.security.cert.CertificateException: No name matching sample.server found)
Response code : -1. Unable to connect to WebHCat server: https://sample.server:8442/gateway/hadoopdev/templeton/v1/ddl/databasejava.security.cert.CertificateException: No name matching sample.server found

Maybe this isn't a Studio issue, but would you have any idea about it?

Teradata Employee

Re: Connect to Hadoop with KNOX

OK, some inconsistencies again, but solved it. Thanks!