Logging a Security Support Case

Before you log a support case, ensure you have either part or all of the following information to help Support investigate your case:

For security-specific issues, continue reading:

Kerberos Issues

  • For Kerberos issues, your krb5.conf and kdc.conf files are valuable for support to be able to understand your configuration.
  • If you are having trouble with client access to the cluster, provide the output for klist -ef after kiniting as the user account on the client host in question. Additionally, confirm that your ticket is renewable by running kinit -R after successfully kiniting.
  • Specify if you are authenticating (kiniting) with a user outside of the Hadoop cluster's realm (such as Active Directory, or another MIT Kerberos realm).
  • If using AES-256 encryption, ensure you have the Unlimited Strength JCE Policy Files deployed on all cluster and client nodes.

TLS/SSL Issues

  • Specify whether you are using a private/commercial CA for your certificates, or if they are self-signed. Note that Cloudera strongly recommends against using self-signed certificates in production clusters.
  • Clarify what services you are attempting to setup TLS/SSL for in your description.
  • When troubleshooting TLS/SSL trust issues, provide the output of the following openssl command:
    openssl s_client -connect host.fqdn.name:port

LDAP Issues

  • Specify the LDAP service in use (Active Directory, OpenLDAP, one of Oracle Directory Server offerings, OpenDJ, etc)
  • Provide a screenshot of the LDAP configuration screen you are working with if you are troubleshooting setup issues.
  • Be prepared to troubleshoot using the ldapsearch command (requires the openldap-clients package) on the host where LDAP authentication or authorization issues are being seen.