Release Notes
Also available as:
PDF

Workaround for Ranger service check failure

(RANGER-1607: Workaround for Ranger service check failure while upgrading to HDP 2.6.1 from previous HDP versions.

[Note]Note

Only when Ranger is SSL enabled.

This issue arises when attempting to upgrade to HDP-2.6.1 from previous HDP versions through Ambari. Ambari uses a curl call to do a service check to Ranger service in Ambari. If the JDK version used by Ambari is JDK-1.7, the curl call will fail with the below error:

curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

The reason for this error is the tomcat version used in Ranger is Tomcat-7.0.7*. Using JDK-1.7 conflicts with default ciphers provided in Tomcat-7.0.7*.

You can resolve this issue in two ways:

  • Update the JDK used in Ambari from JDK-1.7 to JDK-1.8 (see the section Change the JDK Version in the Ambari Reference Guide).

  • If you want to continue supporting a JDK-1.7 environment:

    1. Add the property ranger.tomcat.ciphers in the ranger-admin-site section in your Ambari Ranger configuration with the below value:

      SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA

    2. If you environment is configured for Ranger-KMS, add the property ranger.tomcat.ciphers in the ranger-kms-site section in your Ambari Ranger configuration with the below value:

      SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA

[Note]Note

The noted values are working examples and may not be indicative of your environment. Ensure that the way you set these properties matches how your environment is configured.