topic Re: Enabling client authentication for SSL and Configuring jetty for SSL don't work in Talend Studio

Enabling client authentication for SSL and Configuring jetty for SSL don't work

Anonymous — Sat, 16 Nov 2024 04:05:53 GMT

Hi community,

As described in the title of this topic, the two solutions described in the title of this topic don't work in my environment :

Enabling client authentication for SSL :

I tried to reproduce exactly the example given in the talend help https://help.talend.com/reader/yovCMqvJzyaSSSIdrlB4FQ/HlVXm6zYbAL14q4Lq84a1w , when i call my rest service from Chrome, Firefox, CURL or Postman after adding the client certificate it always show me "BAD CERTIFICATE", i added our certificate Authority and restarted karaf, always the same error message "BAD CERTIFICATE"

Configuring jetty for SSL :

As the first solution did not work for me, i tried the second solution by modifying the jetty.xml file and tested the one way ssl for example as described here : https://help.talend.com/reader/yovCMqvJzyaSSSIdrlB4FQ/xWGGon_HvMs8tUG8RhStDQ , after restarting karaf i'm not able to call the rest service.

here is my talend rest service used for the tests :

My first try by modifying the org.ops4j.pax.web.cfg and restarting karaf:

My second try by modifying the jetty.xml file and adding my connector and restarting karaf:

Any answer, suggestion would be very appreciated.

Thank you in advance.

Re: Enabling client authentication for SSL and Configuring jetty for SSL don't work

Anonymous — Thu, 21 Nov 2019 23:18:02 GMT

How are you creating your certificates and keystores? This is usually a cause of this sort of issue. You will also need to make sure that your trusted certificate is configured in your browser. This link should help you https://help.talend.com/reader/yovCMqvJzyaSSSIdrlB4FQ/YS2qpyciSmqGw1eFT08J1Q

Re: Enabling client authentication for SSL and Configuring jetty for SSL don't work

Anonymous — Sat, 23 Nov 2019 11:08:00 GMT

Hi,

Thank you for your answer and the link.

Iam using this link for settings and trying to reproduce exactly the same examples given, however, it doesn't work (iam using keytool and generting exactly the same certificates given in this link).

I tried to do this in 2 computers with TOS for esb 7.1.2 (OS : Windows10, Antivirus : Nod32 disabled and firewall also).

Thank you for your help

Re: Enabling client authentication for SSL and Configuring jetty for SSL don't work

Anonymous — Sun, 24 Nov 2019 22:22:37 GMT

Are you creating your certificate from scratch or trying to use one issued by a certification authority (like GoDaddy.com)? Certificates are a nightmare to work with and configure. I know that this does work, bit it might be you are leaving out some information

Re: Enabling client authentication for SSL and Configuring jetty for SSL don't work

Anonymous — Sun, 24 Nov 2019 23:03:12 GMT

Iam creating my certificate from scratch exactly as follow (if this example works, il wil use the certificate authority later) :

Enabling client authentication for SSL

To exchange certificates and allow only "trusted" clients to use the Talend Runtime Container HTTP service, you need to follow the following instructions.

Enable the HTTP client auth support in the Karaf-based Talend Runtime Container.
When you install the HTTP feature, the container leverages Pax-Web to provide HTTP OSGi service:
```
karaf@trun> feature:install http
```
Add a customfile with the following content:

To see the whole post, download it here
OriginalPost.pdf

Re: Enabling client authentication for SSL and Configuring jetty for SSL don't work

Anonymous — Mon, 25 Nov 2019 11:09:30 GMT

I noticed a couple of mistakes in this documentation or in your copying of them.

Two keystores are created using these commands....

keytool -genkey -keyalg RSA -validity 365 -alias serverkey -keypass password -storepass password -keystore keystore.jks
keytool -genkey -keyalg RSA -validity 365 -alias clientkey -keypass password -storepass password -keystore client.jks

You then used these commands to export your client certificate and import it into the server keystore...

keytool -export -rfc -keystore clientKeystore.jks -storepass password -alias clientkey -file client.cer
keytool -import -trustcacerts -keystore keystore.jdk -storepass password -alias clientkey -file client.cer

The clientKeystore.jks should be client.jks and keystore.jdk looks like a typing error with jdk instead of jks.

Re: Enabling client authentication for SSL and Configuring jetty for SSL don't work

Anonymous — Mon, 25 Nov 2019 17:53:29 GMT

Hi,

Yes there is a couple of mistakes in talend documentation and i corrected it before setting my environment but alway the same error :

Here is the import of my certificate (with success) in google chrome for example :

And the error :

Re: Enabling client authentication for SSL and Configuring jetty for SSL don't work

Anonymous — Mon, 25 Nov 2019 23:58:53 GMT

Sorry about the delay in getting back to you. I have installed the runtime and have been trying this out myself. It appears that either something in the product has changed, requiring an update to the documentation, or something has broken. I know that this has worked prior to v7.1 as I used it on several projects with v6. I have therefore raised this as a bug. I am not sure how long it will take to get a response, but I know the team who will be looking at this first, so will try and make sure it is elevated in their list of priorities.

Re: Enabling client authentication for SSL and Configuring jetty for SSL don't work

Anonymous — Tue, 26 Nov 2019 09:24:19 GMT

Hi,

Thank you so much for your feedback and reactivity.

If it is possible, what is the version (6.x) you used in your projects and works well ? may be i can use it for the moment and back to latest version after the bug fix or the documentation will be updated.

regards

Re: Enabling client authentication for SSL and Configuring jetty for SSL don't work

Anonymous — Tue, 26 Nov 2019 11:12:35 GMT

I believe the last version I used this successfully with was v6.2. However, I am unsure about what is preventing this from working. I am suspicious as to whether there is something requiring a certificate authority now, which wasn't a requirement in the past. The error I was getting when I tried this was not descriptive enough for me to definitely point to this, but it certainly didn't rule it out. I'll carry on looking into this and if I find something, get back to you.

Re: Enabling client authentication for SSL and Configuring jetty for SSL don't work

Anonymous — Tue, 26 Nov 2019 11:38:19 GMT

Ok and thank you in advance.

Re: Enabling client authentication for SSL and Configuring jetty for SSL don't work

Anonymous — Tue, 26 Nov 2019 11:38:43 GMT

OK and thank you in advance.

Re: Enabling client authentication for SSL and Configuring jetty for SSL don't work

Anonymous — Wed, 27 Nov 2019 17:58:47 GMT

I think I have found you issue. Sorry, French is not a language I read well. The error I believe you are seeing is because it is a self-signed certificate. You will always get this error unless your certificate is signed by a trusted authority. It's not actually an error, more of a warning.

If you click on the "Continnuer vers le site localhost (dangereux)" link, it will take you to the runtime. Once you get an authorized certificate, you won't see this.

In the meantime, I have found another issue which I believe affects Macs. I've tested this on Ubuntu and Windows and it works fine....with the warning you are seeing.

Re: Enabling client authentication for SSL and Configuring jetty for SSL don't work

Anonymous — Thu, 28 Nov 2019 16:22:43 GMT

Hi,

Are you using this parameter in your org.ops4j.pax.web.cfg file : org.ops4j.pax.web.ssl.clientauthneeded=true ?

If i don't use this parameter, i have the same result as you and i can click on the "Continuer vers le site localhost (dangereux)" link and it will take me to the runtime. (already tested) but iin this case we don't force client to be trusted and he can access to the runtime without the certificate.

If i use the org.ops4j.pax.web.ssl.clientauthneeded=true (so force the client to be trusted) and click on the "Continuer vers le site localhost (dangereux)" , iam not able to access to the runtime.

Here is the first response when i call the runtime console :

And when i click on "Continuer vers le site localhost (dangereux)" :

The text in the last image means :

Localhost did not accept your certificate of connection, or you did not provide it.

Try to contact the system administrator.

ERR_BAD_SSL_AUTH_CERT.

Regards

Re: Enabling client authentication for SSL and Configuring jetty for SSL don't work

Anonymous — Thu, 28 Nov 2019 21:09:33 GMT

Yes, I am using that parameter.

My parameters look like below....

org.osgi.service.http.port=8042

org.osgi.service.http.port.secure=8443
org.osgi.service.http.secure.enabled=true
org.ops4j.pax.web.ssl.keystore=./etc/keystores/keystore.jks
org.ops4j.pax.web.ssl.password=password
org.ops4j.pax.web.ssl.keypassword=password
#org.ops4j.pax.web.ssl.clientauthwanted=false
org.ops4j.pax.web.ssl.clientauthneeded=true
#org.ops4j.pax.web.config.file=${karaf.base}/etc/jetty.xml

Can you delete all of the certificates you have configured (for this) in Firefox, try loading the page again (which should fail....note the precise message) and then add your certificate to Firefox again. Then try loading the page. If there is an error it should be a different error to the very last error you received.

I actually installed exactly the same version as you and was able to get this working first time. I used these instructions http://blog.nanthrax.net/?p=316 and copied and pasted the commands to ensure I got it correct. These instructions are from the creator of Apache Karaf.

Re: Enabling client authentication for SSL and Configuring jetty for SSL don't work

Anonymous — Fri, 29 Nov 2019 19:42:10 GMT

Hi @Nabilos31, were you able to get this sorted?

Re: Enabling client authentication for SSL and Configuring jetty for SSL don't work

Anonymous — Fri, 29 Nov 2019 20:18:49 GMT

Hi,

Unfortunatly, iam not able to get this sorted, i have this error in firefox when i click on "Continue" :

May be a bug in my chrome and firefox version ... i tried many manupulations without success (purge the ssl cache, delete certificte and insert it again, check the system date, create the keystore.jks and client.jks from scatch and restarting karf... etc).

Iam downloading windows server 2012 sharewere version, i will install it on virtual machine install TOS inside and do some tests (hope it works).

Regards

Re: Enabling client authentication for SSL and Configuring jetty for SSL don't work

Anonymous — Sat, 30 Nov 2019 00:44:18 GMT

Can I just confirm you are using the v7.1 ESB TOS edition? If so, I know that this does work. If you are using the v7.3M3, there is a problem with this.

I installed v7.1 ESB TOS on a Mac and an Ubuntu machine and was able to set these up so each machine could log on to the other machine's v7.1 Runtime Webconsole. The first time I tried this, I was working with v7.3M3 and it did not work. I have raised a bug regarding this. Thankfully, v7.3M3 is a pre-release version.

Re: Enabling client authentication for SSL and Configuring jetty for SSL don't work

Anonymous — Sat, 30 Nov 2019 13:30:22 GMT

Hi @rhall ,

Iam using the v7.2.1 TOS edition and i think that there is something broken in this version because i dwnloaded the the 7.0.1 and it works perfectly ! like a charm ! ( both org.ops4j.pax.web.cfg and jetty.xml work !).

Special thank to you for your help during my issues.

Should i set this topic to resolved ? (even if my TOS esb 7.2.1 doesn't work as expected)

Regards.

Re: Enabling client authentication for SSL and Configuring jetty for SSL don't work

Anonymous — Mon, 02 Dec 2019 08:44:12 GMT

Let me take a look at v7.2.1. I need to check this out