Symptom
When connecting with Tableau using an AtScale-generated .tds file, the connection fails with the following error message:
Error “[Cloudera][DriverSupport] (1140) Unable to load CA certificates from certs file location” connecting to Cloudera Hadoop Hive
Root Cause
When the AtScale system setting, tableau.odbcConnectStringExtra.useSystemTrustStore.enabled, is set to true, AtScale creates Tableau .tds files with the connection parameter UseSystemTrustStore=1. This value instructs the Cloudera driver to search for TLS certificates in the system trust store. On a Windows system, this is correct. However, certificates are expected on Linux or Mac systems in a driver-specific location (e.g., /opt/cloudera/impalaodbc/lib/64/cacerts.pem).
Resolution
In the AtScale interface, navigate to Settings, Engine, and SHOW CUSTOM SETTINGS. Set the AtScale system setting, tableau.odbcConnectStringExtra.useSystemTrustStore.enabled, to the default value, false.
- SETTING NAME: tableau.odbcConnectStringExtra.useSystemTrustStore.enabled
- SETTING VALUE: false
This will omit the parameter, UseSystemTrustStore, from future .tds files generated by AtScale. Once removed, Cloudera Windows, Mac, and Linux system drivers will search only driver-specific locations for certificates.
Driver Locations
- Windows: C:\Program Files\Cloudera ODBC Driver for Apache Hive\lib\cacerts.pem
- macOS: /opt/cloudera/hiveodbc/lib/universal/cacerts.pem
- Linux default location(s) depending on the bit version installed:
- /opt/cloudera/hiveodbc/lib/64/cacerts.pem
- /opt/cloudera/hiveodbc/lib/32/cacerts.pem
- /opt/cloudera/hiveodbc/lib/universal/cacerts.pem
Reference
AtScale certificates can be installed by backing up cacerts.pem and then appending the full AtScale certificate chain (e.g., root CA, all intermediate CAs, and leaf certificates) to the existing cacerts.pem file.
- cp -p cacerts.pem cacerts.pem.bak
- cat atscalecert-root.pem >> cacerts.pem
- cat atscalecert-inter.pem >> cacerts.pem
- cat atscalecert-leaf.pem >> cacerts.pem