Logging a Security Support Case
Before you log a support case, ensure you have either part or all of the following information to help Support investigate your case:
For security-specific issues, continue reading:
Kerberos Issues
- For Kerberos issues, your krb5.conf and kdc.conf files are valuable for support to be able to understand your configuration.
- If you are having trouble with client access to the cluster, provide the output for klist -ef after kiniting as the user account on the client host in question. Additionally, confirm that your ticket is renewable by running kinit -R after successfully kiniting.
- Specify if you are authenticating (kiniting) with a user outside of the Hadoop cluster's realm (such as Active Directory, or another MIT Kerberos realm).
- If using AES-256 encryption, ensure you have the Unlimited Strength JCE Policy Files deployed on all cluster and client nodes.
SSL/TLS Issues
- Specify whether you are using a private/commercial CA for your certificates, or if they are self-signed. Note that Cloudera strongly recommends against using self-signed certificates in production clusters.
- Clarify what services you are attempting to setup SSL/TLS for in your description.
- When troubleshooting SSL/TLS trust issues, provide the output of the following openssl command:
openssl s_client -connect host.fqdn.name:port
LDAP Issues
- Specify the LDAP service in use (Active Directory, OpenLDAP, one of Oracle Directory Server offerings, OpenDJ, etc)
- Provide a screenshot of the LDAP configuration screen you are working with if you are troubleshooting setup issues.
- Be prepared to troubleshoot using the ldapsearch command (requires the openldap-clients package) on the host where LDAP authentication or authorization issues are being seen.