Hortonworks Data Platform for HDInsight
Also available as:
PDF

Documentation Errata

The following section contains late additions or corrections to the product documentation.

Workaround for Ranger service check failure

(RANGER-1607: Workaround for Ranger service check failure while upgrading to HDP 2.6.2 from previous HDP versions.

Note
Note
Only when Ranger is SSL enabled.

This issue arises when attempting to upgrade to HDP-2.6.1 from previous HDP versions through Ambari. Ambari uses a curl call to do a service check to Ranger service in Ambari. If the JDK version used by Ambari is JDK-1.7, the curl call will fail with the below error:

curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

The reason for this error is the tomcat version used in Ranger is Tomcat-7.0.7*. Using JDK-1.7 conflicts with default ciphers provided in Tomcat-7.0.7*.

You can resolve this issue in two ways:

  • Update the JDK used in Ambari from JDK-1.7 to JDK-1.8 (see the section Change the JDK Version in the Ambari Reference Guide).

  • If you want to continue supporting a JDK-1.7 environment:

    1. Add the property ranger.tomcat.ciphers in the ranger-admin-site section in your Ambari Ranger configuration with the below value:

      SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA

    2. If you environment is configured for Ranger-KMS, add the property ranger.tomcat.ciphers in the ranger-kms-site section in your Ambari Ranger configuration with the below value:

      SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA

Note
Note
The noted values are working examples and may not be indicative of your environment. Ensure that the way you set these properties matches how your environment is configured.