How to Log a Security Support Case
Here are some items to gather before logging a support case:
- If possible, gather a diagnostic bundle.
- Note specific details about the issue, including these:
- Is this a new install, or did you upgrade a working cluster? For upgrades, identify release numbers ("trying to upgrade from Cloudera Manager 5.5.6 to Cloudera Manager 5.8.1," for example).
- Is this a production deployment, development environment, or sandbox environment?
- Note the severity of the impact and whether it is causing a production outage.
- Capture error messages (screenshots, command-line capture, and so on) and attach to the case.
- Note the commands executed and the results, captured to a file if possible.
- Itemize all changes made to your cluster configuration after the issue arose (possibly, as attempts to resolve the issue).
In addition to the above, here are some specific security-related details:
Kerberos Issues
- For Kerberos issues, your krb5.conf and kdc.conf files are valuable for support to be able to understand your configuration.
- If you are having trouble with client access to the cluster, provide the output for klist -ef after kiniting as the user account on the client host in question. Additionally, confirm that your ticket is renewable by running kinit -R after successfully kiniting.
- Specify if you are authenticating (kiniting) with a user outside of the Hadoop cluster's realm (such as Active Directory, or another MIT Kerberos realm).
- If using AES-256 encryption, ensure you have the Unlimited Strength JCE Policy Files deployed on all cluster and client nodes.
TLS/SSL Issues
- Specify whether you are using a private/commercial CA for your certificates, or if they are self-signed. Note that Cloudera strongly recommends against using self-signed certificates in production clusters.
- Clarify what services you are attempting to setup TLS/SSL for in your description.
- When troubleshooting TLS/SSL trust issues, provide the output of the following openssl command:
openssl s_client -connect host.fqdn.name:port
LDAP Issues
- Specify the LDAP service in use (Active Directory, OpenLDAP, one of Oracle Directory Server offerings, OpenDJ, etc)
- Provide a screenshot of the LDAP configuration screen you are working with if you are troubleshooting setup issues.
- Be prepared to troubleshoot using the ldapsearch command (requires the openldap-clients package) on the host where LDAP authentication or authorization issues are being seen.