I am using the below mentioned connection URL to connect to hive server using beeline.
!connect
jdbc:hive2://sandbox.hortonworks.com:21000/default;ssl=true;sslTrustStore=/var/lib/knox/data-2.3.2.0-2950/security/keystores/gateway.jks;trustStorePassword=knox?hive.server2.transport.mode=http;httpPath=gateway/default/hive
After the connection I am getting below mentioned error.
Could not open client transport with JDBC Uri:
jdbc:hive2://sandbox.hortonworks.com:21000/default;ssl=true;sslTrustStore=/var/lib/knox/data-2.3.2.0-2950/security/keystores/gateway.jks;trustStorePassword=knox?hive.server2.transport.mode=http;httpPath=gateway/default/hive:
Could not create http connection to
jdbc:hive2://sandbox.hortonworks.com:21000/default;ssl=true;sslTrustStore=/var/lib/knox/data-2.3.2.0-2950/security/keystores/gateway.jks;trustStorePassword=knox?hive.server2.transport.mode=http;httpPath=gateway/default/hive.
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext
connection? (state=08S01,code=0)
Kindly help me to resolve this error.
There will be multiple reasons for getting this error.
Make sure Knox is running using ambari and Check which port number it is using. By default knox uses 8443
Check SSL store location is correct. It varies based on which version of sandbox you are using
Check trustStorePassword is correct. Default password is knox. Otherwise use your Knox master password.
Make sure hive configuration is set to hive.server2.transport.mode to http
After the configuration changes make sure that you restarted the knox gateway
Related
I set up my server on centos7
From client side(not localhost), I can connect and transfer files to server with unencrypted connection but can't connect with TLS
It's my vsftpd.conf:
listen=YES
listen_ipv6=NO
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
rsa_cert_file=/home/user/server/sync.crt
rsa_private_key_file=/home/user/server/sync.key
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH
pasv_enable=YES
pasv_min_port=50000
pasv_max_port=60000
pasv_address=1.1.1.1
and filezilla's errorcode:
Connection attempt failed with "ETIMEDOUT - Connection attempt timed out".
425 Failed to establish connection.
How do I solve this problem?
This kind of error typically happens when a data connection cannot be created to transfer files or directory listings. Such data connections are done using dynamic ports, where in case of PASV the port to use is announced by the server within the response to the PASV command.
Firewalls often employ helpers to scan the traffic and look for such responses announcing which port the client should use - and then temporarily allowing such access. In case of plain FTP without encryption the firewall can see the response and determine the port to open - then it works. But, in case of FTPS the control connection is encrypted and therefore the firewall only sees encrypted communication and cannot determine the port to open - then it fails.
I'm a newbie to hdp and knox.
My HDP environment description:
HDP version - 2.6
HS2 is enabled
Hive transport mode - HTTP
Knox installed via ambari
SSL is not enabled
non Kerberized instance
Issue:
I'm trying to connect to HIVE via beeline. The connection string is "!connect jdbc:hive2://:8443/;transportMode=http;httpPath=gateway//hive". the user name : admin, password: admin-password. Its throws an an error : "18/06/18 08:17:39 [main]: ERROR jdbc.HiveConnection: Error opening session org.apache.thrift.transport.TTransportException: org.apache.http.NoHttpResponseException: :8443 failed to respond" and "Error: Could not establish connection to jdbc:hive2://:8443/;transportMode=http;httpPath=gateway//hive: org.apache.http.NoHttpResponseException: :8443 failed to respond (state=08S01,code=0)".
Things I've tired:
I've tried changing the httpPath with "cliserver", "gateway/default/hive" and they didn't work.
I've tried to changing the connection url with " !connect jdbc:hive2://:10001/default;transportMode=http; httpPath=cliservice;" it worked but as it doesn't server the purpose of knox. as I'm trying to use exposed hive port.
I appreciate if anyone can help me with detailed solution to this problem.
You need to specify trust store and trust store password. e.g.
{code}
beeline -u "jdbc:hive2://:8443/;ssl=true;sslTrustStore=/gateway.jks;trustStorePassword=;transportMode=http;httpPath=gateway/default/hive" -n admin -p admin-password
{code}
Here we are assuming you have demo ldap setup (not recommended for production).
Also, you need
Knox host
Knox truststore location (for HDP /var/lib/knox/data-x.x.x.x-xxxx/security/keystores/gateway.jks)
Truststore password (default knox)
The path should be gateway/default/hive
Hope it helps.
I'm setting up a server with a couple of web services in Jboss 4.2.2. When I disable the SSL verification on the connector, all calls go through in SoapUI as well from a python script containing the same payload as the SoapUI script.
But when I enable the SSL verification with a connected keystore on the connector, all requests from SoapUI gets refused, with the following error:
Error getting response; org.apache.http.conn.HttpHostConnectException: Connection to https://1...8:2443 refused
My python-script still runs and successfully recieves the response as expected.
I have also linked the same keystore to the SSL settings in SoapUI, but without luck. I'm not familiar enough with SoapUI to know what I'm missing.
Anyone got an idea?
2443 isn't the default https connector port. Check it out on your server configuation. You can check the ports on which jboss is listening too using netstat, or directly use telnet to probe the connection.
I am having issue connecting to a qmgr. the host rejected connection due to cipherspec error for ssl channel on port 1414. The keystore checked out ok. I was able to use openssh to connect to the host and retrieve its keys.
I have tried to enable and disable sslv3. I provided keystore password with and without "" (double quotes). These are connection properties
qcf=wmq://aftbusu105.it.companyx.com:1414/?qmgr=MQPLTC010,channel=FUSION.SSL,sslCipherSuite=SSL_RSA_WITH_NULL_MD5,transportType=1
reqQ=queue:///FUSIONQL.app.queuename.1_0.Q.PS.REQ
rspQ=queue:///FUSIONQL.app.queuename.1_0.Q.PS.REQ
mep=oneway
connCnt=1
sessCnt=1
numMsgs=1
connInterval=10
msgInterval=10
deliveryMode=1
priority=1
expiration=1
keystore=/path/keystore/m36797q.jks
password=a$tilBe2Flower
alias=m36797q
Do you know what the issue could be?
Can you confirm if you have FIPs enabled on either the server or the client? It's possible you are getting error because the ciphersuite
SSL_RSA_WITH_NULL_MD5 is not supported in FIPS mode. Are you seeing any AMQ errors in your QMGR error logs?
Also, let us know the MQ version you are using.
I have been trying to configure a simple pass through proxy using wso2 esb, which points to a REST service in https port.
I had tried doing the same using my development machine (Windows 7) and it is successful.
But when I try repeating the same in production server, in RHEL, I get The system cannot infer the transport information error in system log.
Things Tried
Created passthrough proxy service pointing to https://some.domain.in/something/something.
Tried CURL to https://some.domain.in/something/something and its shows the response properly
Imported certificate from the site to client-truststore.jks. Same was done locally and it worked.
in axis2.xml, edited <parameter name="HostnameVerifier">AllowAll</parameter>under https transporter
Error Message
When clicked in test in configuration console, I got the following message, Invalid address
CURL the proxy service URL, and got Empty response
Checked system logs and saw below logs
Am I missing out something?
I could see in the wso2-error-logs following messages
ERROR {org.apache.synapse.transport.passthru.TargetHandler} - I/O
error: handshake alert: unrecognized_name
javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name
Then I realised that I was using java 1.6 locally but 1.7 in production.
And in Java 1.7 there are some changes in SSL handling
The JDK 7 release supports
the Server Name Indication (SNI) extension in the JSSE client. SNI,
described in RFC 4366 enables TLS clients to connect to virtual
servers.
In order to bypass this, I added JAVA_OPTS="-Djsse.enableSNIExtension=false" in wso2server.sh and restarted.
This solved my problem.
Not sure if this is the correct way though
This url helped me finally