How to Log a Security Support Case

Here are some items to gather before logging a support case:
  • If possible, gather a diagnostic bundle.
  • Note specific details about the issue, including these:
    • Is this a new install, or did you upgrade a working cluster? For upgrades, identify release numbers ("trying to upgrade from Cloudera Manager 5.5.6 to Cloudera Manager 5.8.1," for example).
    • Is this a production deployment, development environment, or sandbox environment?
    • Note the severity of the impact and whether it is causing a production outage.
    • Capture error messages (screenshots, command-line capture, and so on) and attach to the case.
    • Note the commands executed and the results, captured to a file if possible.
    • Itemize all changes made to your cluster configuration after the issue arose (possibly, as attempts to resolve the issue).

In addition to the above, here are some specific security-related details:

Kerberos Issues

  • For Kerberos issues, your krb5.conf and kdc.conf files are valuable for support to be able to understand your configuration.
  • If you are having trouble with client access to the cluster, provide the output for klist -ef after kiniting as the user account on the client host in question. Additionally, confirm that your ticket is renewable by running kinit -R after successfully kiniting.
  • Specify if you are authenticating (kiniting) with a user outside of the Hadoop cluster's realm (such as Active Directory, or another MIT Kerberos realm).
  • If using AES-256 encryption, ensure you have the Unlimited Strength JCE Policy Files deployed on all cluster and client nodes.

TLS/SSL Issues

  • Specify whether you are using a private/commercial CA for your certificates, or if they are self-signed. Note that Cloudera strongly recommends against using self-signed certificates in production clusters.
  • Clarify what services you are attempting to setup TLS/SSL for in your description.
  • When troubleshooting TLS/SSL trust issues, provide the output of the following openssl command:
    openssl s_client -connect host.fqdn.name:port

LDAP Issues

  • Specify the LDAP service in use (Active Directory, OpenLDAP, one of Oracle Directory Server offerings, OpenDJ, etc)
  • Provide a screenshot of the LDAP configuration screen you are working with if you are troubleshooting setup issues.
  • Be prepared to troubleshoot using the ldapsearch command (requires the openldap-clients package) on the host where LDAP authentication or authorization issues are being seen.