Logging a Security Support Case
Before you log a support case, ensure you have either part or all of the following information to help Support investigate your case:
- If possible, provide a diagnostic data bundle following the instructions in Collecting and Sending Diagnostic Data to Cloudera.
- Provide details about the issue such as what was observed and what the impact was.
- Provide any error messages that were seen, using screen capture if necessary & attach to the case.
- If you were running a command or performing a series of steps, provide the commands and the results, captured to a file if possible.
- Specify whether the issue took place in a new install or a previously-working cluster.
- Mention any configuration changes made in the follow-up to the issue being seen.
- Specify the type of release environment the issue is taking place in, such as sandbox, development, or production.
- The severity of the impact and whether it is causing outage.
For security-specific issues, continue reading:
Kerberos Issues
- For Kerberos issues, your krb5.conf and kdc.conf files are valuable for support to be able to understand your configuration.
- If you are having trouble with client access to the cluster, provide the output for klist -ef after kiniting as the user account on the client host in question. Additionally, confirm that your ticket is renewable by running kinit -R after successfully kiniting.
- Specify if you are authenticating (kiniting) with a user outside of the Hadoop cluster's realm (such as Active Directory, or another MIT Kerberos realm).
- If using AES-256 encryption, ensure you have the Unlimited Strength JCE Policy Files deployed on all cluster and client nodes.
SSL/TLS Issues
- Specify whether you are using a private/commercial CA for your certificates, or if they are self-signed.
- Clarify what services you are attempting to setup SSL/TLS for in your description.
- When troubleshooting SSL/TLS trust issues, provide the output of the following openssl command:
openssl s_client -connect host.fqdn.name:port
LDAP Issues
- Specify the LDAP service in use (Active Directory, OpenLDAP, one of Oracle Directory Server offerings, OpenDJ, etc)
- Provide a screenshot of the LDAP configuration screen you are working with if you are troubleshooting setup issues.
- Be prepared to troubleshoot using the ldapsearch command (requires the openldap-clients package) on the host where LDAP authentication or authorization issues are being seen.