Troubleshooting
This section provides resolution to issues that you may encounter/face while working with the CipherTrust Intelligent Protection (CIP) solution.
DDC Scan
| Issue | Action |
|---|---|
The Enable Remediation toggle button is disabled in DDC scan configuration | 1. Open the Transparent Encryption application on the CipherTrust Manager GUI. The Clients page is displayed. 2. Under Client Name, check whether the CTE client is registered with a hostname or an IP address. 3. Open the Data Stores page (Data Discovery and Classification > Data Stores). This page shows the configured data stores. 4. Under Name, check whether the data store is added with a hostname or an IP address. 5. Make sure that both the resources (the data store and the CTE client) are configured using an IP address or a hostname. |
Scan failed in the Validating phase | To resolve this issue, make sure that: • GuardPoint status is Active. • classification_status of GuardPoint is Ready.• rekeyed_status of LDT GuardPoint is Rekeyed.• The classification profile used in the scan and CTE policy is same. • The CTE client should match the DDC data store hostname/IP address. • Both the resources (the data store and the CTE client) are configured using an IP address or a hostname. |
Scan failed with Target error | One of the possible reasons for Target error could be hostname duplication. Follow below steps to resolve hostname duplication:1. Uninstall the DDC agent (ER2) package from the CTE client. 2. Change the hostname of the CTE client. 3. Install the DDC agent (ER2) package on the CTE client. 4. Configure the DDC agent at the CTE client. 5. Create the Data Store in DDC. |
DDC scan failed in multi-node TDPjava.sql.SQLException: ERROR 726 (43M10)Inconsistent namespace mapping properties. Cannot initiate connection as SYSTEM:CATALOG is found but client does not have phoenix.schema.isNamespaceMappingEnabled enabled. | This issue occurs if you copy hbase-site.xml to either Namenode or Masternode only.To resolve this issue, copy hbase-site.xml to all the secondary nodes where the Spark services are running. |
Target path not set on the Windows CTE agent: Must be a valid Windows or Unix absolute path | Install the DDC agent (ER2) package at the CTE agent. |
DDC Configuration
| Issue | Action |
|---|---|
Invalid Livy URI path on entering the default Livy URI in Hadoop services on the CipherTrust Manager. | 1. Verify TDP configurations on the Ambari UI. 2. Refer to Knox > Advanced Topology. 3. Check for entry of the Livy Server in <services>. If the entry is not present, add the following:• <role>LIVYSERVER</role>• <url>http://<IP/hostname>:8999</url> |
Invalid HDFS folder: the folder does not exist | Make sure that HDFS folder should exist. |
TDP Service
| Issue | Action |
|---|---|
Scan failed with Error processing scan | 1. Check the Services settings on TDP.2. Access TDP using the Ambari UI. 3. Check the Spark2 configurations: • Spark2 > Configs > Advanced > Advanced livy2-conf > livy.server.csrf_protection.enabled should be false.• Spark2 > Configs > Advanced > Custom livy2-conf > livy.server.session.state-retain.sec should be 24h.• Spark2 > Configs > Advanced > Custom spark2-defaults > spark.yarn.appMasterEnv.ZK_URL_DDC should be <hostname>:2181.4. Check the HBase configurations: • HBase > Configs > Advanced > Advanced hbase-site > ZooKeeper Znode Parent should be /hbase.Refer to Configure TDP for details. |
Scan failed with Error Launching Livy job | To resolve this issue, try the following: • Check that the hbase-site.xml file is saved at /etc/spark2/<3.1.(version)>/0/.• If not, copy the hbase-site.xml file from /etc/hbase/<3.1.(version)>/0/hbase-site.xml to /etc/spark2/<3.1.(version)>/0/ to complete the scan.• Assign the desired permissions for /user in HDFS by running the command:-sudo -u hdfs hadoop fs -chmod 0777 /user |
| TDP services are not working | To resolve this issue: 1. Go to the Ambari UI. 2. In the left pane, click the three dots (...) next to the Services tab. 3. Click Start All services. 4. Review the /etc/hosts entries. Make sure that the TDP IP address and hostname are correct.Note: Reboot the CTE agent if the TDP IP address or hostname is changed. If you reboot TDP or Start/Restart All services: 1. Check that the Knox service is up. 2. Click Actions > Start Demo LDAP. |
PQS
| Issue | Action |
|---|---|
PQS_query version not resolved on the CTE agentData governance exception with the error: [schema version query failed on PQS. Error: connection::connect: http::request = failed with exception: Error resolving address] in [check_schema_version]. | This issue could be due to the CTE agent is not able to resolve the hostname of PQS server. The following steps can help to resolve this issue: 1. Make sure that the TDP IP address and hostname are correct. 2. Reboot the CTE agent if the TDP IP address or hostname is changed. Location of the hosts file: • Linux: /etc/hosts• Windows: C:\Windows\System32\drivers\etc\hosts |
PQS not configured or status is not Ready state 15: NCERRBadRequest: Bad HTTP request | Check the Ambari server UI all services should be green and working. If not, start/restart all services. |
Windows Agent
| Issue | Action |
|---|---|
| GuardPoint does not have UUID. | • Check the CTE agent installation. • Make sure that LDT on CIFS (File Header Support - FHS) capability is turned off. Note: This resolution is only applicable for local. |