Oauth2 Integration in Azure


We are trying to setup oauth2 integration with azure. We installed our certs on the Ubuntu 18.04 server using the standard method (inside the /etc/ssl/certs folder) When we try to login with azure credentials we are brought back to the login screen with this error:

Error getting user info from 8451: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Any ideas ?

Hi Mr Work Voyeur

OAuth2 integration for Hopsworks is only available in the Enterprise Edition. The docs for it are available here:


We have the enterprise version and followed the instructions. Azure requires a valid cert in order for the oauth flow to work. We can tell we are using the right values for the oauth setup because we can correctly search the provider ID in Hopsworks.

As mentioned before, we always get the Java error I share in my initial post.

Hi Mr Work Voyeur,
Try adding the Root CA of Azure (‘global_root_g2’ is the name) to the glassfish trust store ‘/srv/hops/domains/domain1/config/cacerts.jks’.

The command is something like:
keytool -import -alias digicert_global_root_g2.pem -file /tmp/digicert_global_root_g2.pem -keystore /srv/hops/domains/domain1/config/cacerts.jks -storepass adminpw´

you need to download the cert to ‘/tmp/digicert_global_root_g2.pem’ first.


I am trying to attempt your suggestion but I do not know how to find the glassfish keystore password

i have tried ‘adminpw’ and ‘changeit’

@mrwatchmework, If you used the hopsworks-installer script, the installer overwrites those default passwords.

Have a look at the cluster definition (the YAML file describing the deployment which is in a directory called cluster-defns on the machine from which you ran the hopsworks-installer.sh script).
The file is called hopsworks-installation.yml and contains the following section:

    encryption_password: dfadsfasdfa___001    
      password: dfadsfadsfa___002      

The value for the hopsworks/master/password attribute is the one you are looking for.

Alternatively you can look at this file on the machine where Glassfish is running:


The section AS_ADMIN_MASTERPASSWORD= contains the master password to unlock the keystore.

Let me know if that works,



Hi Fabio,

Would you be able to show us how to configure the Hopsworks services to use a private certificate. We also need to know the correct azure oauth redirect urls.

@mrwatchmework , to configure Hopsworks web application to use a private certificate you can have a look at this script (cloud-chef/deploy2glassfish_hook.sh.erb at master · logicalclocks/cloud-chef · GitHub)

The script is used to installa certificate from Let’s Encrypt, however the commands from line 40 are generic, as long as you have the private key and certificate in PEM format.

The environment variables at the begining of the script should be templated as follow:

KEYSTOREPW= [ see previous post on how to get this ]

Before running the commands, make sure you take the backup of the files cacerts.jks and keystore.jks which you can find in /srv/hops/domains/domain1/config. In case anything goes wrong, you can always restore those by re-copying them in the config directory and restart glassfish with:

systemctl restart glassfish-domain1

That being said, Hopsworks web application runs on Payara Glassfish webserver. Payara documentation is quite good and can help you out if you have issues.

Let me know if it helps you.



Thanks for the instructions. I’m going to try this out.

Also, do you know what the oauth_redirect_uri should look like in the Hopsworks variables.

Hi Fabio,

I’ve read the script (deploy2glassfish_hook.sh.erb), could you tell me where I can find the value of SPARK_CONF_DIR? Or can I ignore this variable?

The value is /srv/hops/spark/conf

Hi Theo,

Ok, thanks a lot.

Hi @Theo and @Fabio ,
I have another question, there is a variable in the script, its name is working_domain, this variable is used by the following code. But I don’t know how to get its value, the relevant code is as follows:



# There should only be one domain name
for domain in $BASE/*; do
    if [ -d $domain ] && [[ $domain =~ .*cloud\.hopsworks\.ai ]]; then
        working_domain=$(basename $domain)


pushd $TMP
# Bundle private key and certificate
openssl pkcs12 -export -in ${working_dir}/cert.pem -inkey ${working_dir}/privkey.pem -out cert_and_key.p12 -name ${working_domain} -CAfile ${working_dir}/chain.pem -caname root -password pass:$KEYSTOREPW
# Remove existing/old certificate for the domain
keytool -delete -keystore keystore.jks -alias ${working_domain} -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW

According to the above code, based on a variable BASE, the variables working_dir and working_domain are assigned a value. But I didn’t find the directory that is /etc/letsencrypt/live. So I tried to create this directory and execute the above code fragment, but I found that the value of these two variables was null.

Could you tell me how to solve this issue? Thanks a lot.


If you have a certificate you can skip the working_domain part and start from line 40 in the script by providing your own certificate.

If you don’t have a certificate, you can try getting one with certbot for example https://certbot.eff.org/

Hi Theo,
Ok, I’ve got it. Many thanks.