Skip Ribbon Commands
Skip to main content
Navigate Up
Sign In

Quick Launch

Average Rating:

facebook Twitter
Email
Print Bookmark Alert me when this article is updated

Feedback

ERROR: "sun.security.validator.ValidatorException: PKIX path building failed" while running Hadoop pushdown jobs from Informatica DEI
Problem Description

While running pushdown jobs in SSL enabled Hadoop cluster from Informatica Data Engineering Integration (DEI), earlier known as 'Big Data Management' (BDM), job execution fails with the following error message in the logs:

 

Job Submission failed with exception 'java.io.IOException(javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)' FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.mr.MapRedTask ​​​​​

Cause

The encountered issue occurs, when the SSL certificate being used in the Hadoop cluster for the services like HDFS, YARN, Hive and so on is not imported as a trusted certificate in the trust store file of Informatica Server machine.

Solution

Perform the following set of actions, when custom 'Truststore' file is being used with Informatica Services:


  1. Generate '.cer' certificate file from the '.pem' file, corresponding to SSL certificate of Hadoop cluster. For information on getting '.pem' file, refer here.

 

openssl x509 -outform der -in <cluster_ssl_pem>.pem -out <certificate_name>.cer

 

Example

openssl x509 -outform der -in ingcshdp.pem -out certificate.cer

 

      2. Once 'certificate.cer' file is generated, transfer it into Informatica server machine. If multi-node Informatica setup is being used, copy the certificate into all the nodes.

      3. Run the following commands for importing the 'certificate.cer' certificate file into the 'infa_truststore.jks' & 'java cacerts' on Informatica Server machine.

 
cd $INFA_HOME/java/jre/bin
keytool  -v -import -trustcacerts -file <absolute_path_to_certificate.cer_file> -alias <certificate_alias> -keystore $INFA_HOME/services/shared/security/infa_truststore.jks
keytool  -v -import -trustcacerts -file <absolute_path_to_certificate.cer_file> -alias <certificate_alias> -keystore $INFA_HOME/java/jre/lib/security/cacerts

 

Substitute the parameters in the above commands as below:


  • '$INFA_HOME' with the absolute location to the folder, where Informatica server is installed in the Linux machine.
  • '<absolute_path_to_certificate.cer_file>' with the absolute location to the folder, where 'certificate.cer' file of 'Hadoop Cluster', has been copied into Informatica Server machine.
  • '<certificate_alias>' with short unique name for identifying the SSL certificate.

 

Example

    If the $INFA_HOME is '/data/informatica/1022hf1' and if the 'certificate.cer' file has been copied into '/home/files' location, use the following commands:

 

cd /data/informatica/1022hf1/java/bin

keytool -v -import -trustcacerts -file /home/files/certificate.cer -alias HDP_26_Cluster -keystore /data/informatica/1022hf1/services/shared/security/infa_truststore.jks

keytool -v -import -trustcacerts -file /home/files/certificate.cer -alias HDP_26_Cluster -keystore /data/informatica/1022hf1​/java/jre/lib/security/cacerts

 

     4. Once the certificates get imported successfully, recycle the DIS used for running the mapping.

     5. Once DIS gets recycled, re-run the mapping and it should complete successfully.

 

More Information
When default 'infa_truststore.jks' file is used with Informatica services, it might not be possible to import the certificates directly, as the password for the 'infa_truststore.jks' file is not publicly available. 

To import the 'SSL certificates' into default 'infa_truststore.jks' file, reach out to Informatica Global Customer Support with the following information:

 

  • 'infa_truststore.jks' file from '$INFA_HOME/services/shared/security' location.
  • '.cer' file for SSL certificate being imported.

 

In general, it is recommended to get the truststore file for the organization from the Admin team and use it with the Informatica services. The only requirement is that it should be named as 'infa_trustore.jks' and placed under '$INFA_HOME/services/shared/security' location. Password for the truststore should be specified through 'INFA_TRUSTSTORE_PASSWORD' argument. For more information about how to create a custom Keystore and Truststore, refer to the following documents:

 

https://kb.informatica.com/h2l/HowTo%20Library/1/0700-CreateKeystoresAndTruststores-H2L.pdf

 

https://docs.informatica.com/data-engineering/shared-content-for-data-engineering/10-4-0/security-guide/domain-security/secure-communication-within-the-domain/secure-communication-for-services-and-the-service-manager/requirements-for-secure-communication-within-the-domain.html

Applies To
Product: Data Engineering Integration(Big Data Management); Data Engineering Quality(Big Data Quality); Enterprise Data Preparation; Data Engineering Streaming(Big Data Streaming)
Problem Type: Security; Connectivity; Configuration
User Type: Administrator
Project Phase: Configure; Implement; Onboard
Product Version: Informatica 10.1; Informatica 10.1.1; HotFix; Informatica 10.2; Informatica 10.2.1; Informatica 10.2.1 Service Pack 1; Informatica 10.2.2; Informatica 10.4
Database:
Operating System:
Other Software:

Reference
Attachments
Last Modified Date:3/31/2020 4:28 AMID:532120
People who viewed this also viewed

Feedback

Did this KB document help you?



What can we do to improve this information (2000 or fewer characters)