Unable to load CA certificates while connecting with Tableau using an AtScale-generated .tds file

Symptom

When connecting with Tableau using an AtScale-generated .tds file, the connection fails with the following error message:

Error “[Cloudera][DriverSupport] (1140) Unable to load CA certificates from certs file location” connecting to Cloudera Hadoop Hive

Unable to load CA certificates while connecting with Tableau using an AtScale-generated .tds file.png

Root Cause

When the AtScale system setting, tableau.odbcConnectStringExtra.useSystemTrustStore.enabled, is set to true, AtScale creates Tableau .tds files with the connection parameter UseSystemTrustStore=1. This value instructs the Cloudera driver to search for TLS certificates in the system trust store. On a Windows system, this is correct.  However, certificates are expected on Linux or Mac systems in a driver-specific location (e.g., /opt/cloudera/impalaodbc/lib/64/cacerts.pem).

Resolution

In the AtScale interface, navigate to SettingsEngine, and SHOW CUSTOM SETTINGS. Set the AtScale system setting, tableau.odbcConnectStringExtra.useSystemTrustStore.enabled, to the default value, false.

  • SETTING NAME: tableau.odbcConnectStringExtra.useSystemTrustStore.enabled
  • SETTING VALUE: false

Unable to load CA certificates while connecting with Tableau using an AtScale-generated .tds file2.png

This will omit the parameter, UseSystemTrustStore, from future .tds files generated by AtScale. Once removed, Cloudera Windows, Mac, and Linux system drivers will search only driver-specific locations for certificates.

Driver Locations

  • Windows: C:\Program Files\Cloudera ODBC Driver for Apache Hive\lib\cacerts.pem
  • macOS: /opt/cloudera/hiveodbc/lib/universal/cacerts.pem
  • Linux default location(s) depending on the bit version installed:
  • /opt/cloudera/hiveodbc/lib/64/cacerts.pem
  • /opt/cloudera/hiveodbc/lib/32/cacerts.pem
  • /opt/cloudera/hiveodbc/lib/universal/cacerts.pem

Reference

AtScale certificates can be installed by backing up cacerts.pem and then appending the full AtScale certificate chain (e.g., root CA, all intermediate CAs, and leaf certificates) to the existing cacerts.pem file.

  • cp -p cacerts.pem cacerts.pem.bak
  • cat atscalecert-root.pem >> cacerts.pem
  • cat atscalecert-inter.pem >> cacerts.pem
  • cat atscalecert-leaf.pem >> cacerts.pem

Was this article helpful?

0 out of 0 found this helpful