Pivotal Knowledge Base

Follow

Namenode fails to start with error "jurisdiction policy files are not signed by a trusted signer"

Environment

  • PHD 1.x
  • PHD 2.x
  • Kerberos Secure HDFS
  • JAVA JDK 1.7.0.51
  • JCE 6

Symptom

2014-03-26 13:25:42,705 FATAL org.apache.hadoop.hdfs.server.namenode.NameNode: Exception in namenode join
java.io.IOException: Login failure for hdfs/hdm1.phd.local@PHD.LOCAL from keytab /etc/security/phd/keytab/hdfs.service.keytab
        at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:835)
        at org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:283)
        at org.apache.hadoop.hdfs.server.namenode.NameNode.loginAsNameNodeUser(NameNode.java:423)
        at org.apache.hadoop.hdfs.server.namenode.NameNode.initialize(NameNode.java:434)
        at org.apache.hadoop.hdfs.server.namenode.NameNode.(NameNode.java:609)
        at org.apache.hadoop.hdfs.server.namenode.NameNode.(NameNode.java:594)
        at org.apache.hadoop.hdfs.server.namenode.NameNode.createNameNode(NameNode.java:1169)
        at org.apache.hadoop.hdfs.server.namenode.NameNode.main(NameNode.java:1235)
Caused by: javax.security.auth.login.LoginException: java.lang.ExceptionInInitializerError
        at javax.crypto.JceSecurityManager.(JceSecurityManager.java:65)
        at javax.crypto.Cipher.getConfiguredPermission(Cipher.java:2503)
        ..skipping..
        at javax.security.auth.login.LoginContext.login(LoginContext.java:590)
Caused by: java.lang.SecurityException: Can not initialize cryptographic mechanism
        at javax.crypto.JceSecurity.(JceSecurity.java:86)
        ... 30 more
Caused by: java.lang.SecurityException: The jurisdiction policy files are not signed by a trusted signer!
        at javax.crypto.JarVerifier.verifyPolicySigned(JarVerifier.java:289)
        at javax.crypto.JceSecurity.loadPolicies(JceSecurity.java:316)
        ..skipping..
        at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:826)
        ... 7 more
2014-03-26 13:25:42,712 INFO org.apache.hadoop.util.ExitUtil: Exiting with status 1
2014-03-26 13:25:42,720 INFO org.apache.hadoop.hdfs.server.namenode.NameNode: SHUTDOWN_MSG:

Cause

In this case JDK 1.7.0.51 is installed on all nodes in the cluster and JCE local policy version 6 was used for AES 256 kerberos encryption. JCE must be in sync with the JDK version.

Fix

Download JCE jars (US_export_policy.jar & local_policy.jar) for appropriate JDK version and upload them in the directory /usr/java/default/jre/lib/security on the cluster nodes.

 

Comments

Powered by Zendesk