Configuring the Big SQL Ranger plugin for SSL: Troubleshooting Tips

The most common reason for plugin failures in an SSL environment is that Ranger Admin cannot communicate with the plugin and fails to refresh policies. In this case, the following message will be present in bigsql-sched.log:

Failed to refresh policies. Will continue to use last known version of policies.

Following the above error, the log file should contain more detailed errors for you to examine. This may include one of the following:

java.lang.IllegalArgumentException: SSLContext must not be null

This error usually indicates a problem with the JCEKS credential files. It is known to occur when the IBM JDK was not placed at the front of the path before generating the JCEKS files. This error can also occur when an incorrect keystore or truststore password is used to generate the JCEKS files.

The recommended user action is to regenerate the JCEKS files on the Db2 Big SQL head host and restart the Db2 Big SQL and Ranger services.

java.lang.Exception: Unauthorized access. expected [ibmm], found [ibm]

This error usually indicates that the CommonName recorded in the Ranger UI does not match the CommonName certificate stored in the agent keystore. To resolve the problem, verify that the values match.

java.lang.Exception: Unauthorized access - unable to get client certificate

This error may indicate that the server certificate is missing in the agent truststore. Use keytool to list the contents of the agent keystore and truststore, and then verify that all of the certificates stored within are correct.