topic Re: call the secure service using cHttp component in Talend Studio

call the secure service using cHttp component

user19 — Fri, 15 Nov 2024 23:10:37 GMT

Hello,

I am trying to call a secure (Https) backend using cHttp component in a route. but When I send a call I got following error.

Error 500 org.apache.cxf.interceptor.Fault: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target while invoking public abstract java.lang.Object

I tried https://help.talend.com/r/NUuq0nJiWNDq5Yi0HIGnzw/JgJYEYfycI59q9PCxukDHQ but it didn't work.

how can I call the Https? Any help would be appreciated.

Re: call the secure service using cHttp component

Anonymous — Fri, 25 Feb 2022 14:38:11 GMT

OK, I believe that this is due to you not having the correct certificates configured in a keystore for the server you are trying to access. Your web browser will do this for you when you access an https site. But we have to do this manually. This process is explained here.....

https://help.talend.com/r/hXruAwZmhJU0BQ2h3iGBiA/DbpuITII8XRTBPM1nfmC8A

....but it then tells you how to use it with a service in a Talend job. You want to use it with a route. I believe the best way to attempt this is to set up a local runtime on your machine and test the route through that. You can configure the keystore with the runtime like this.....

https://help.talend.com/r/tez87K9J65Ah64Rult_SAQ/peRqMypwHzLvNuiqzCugzg

.....then you can run your route through the runtime. However, this will not give you the best debugging experience. But you will need to have this config in your production runtime.

To test in the Studio, go to preferences and you can set up a keystore for testing here....

I haven't done this in a long while, so I can't guarantee that this will work for you OR that this is your problem. I believe it is your problem and this is the first thing I would attempt to sort it.

I'd be interested to hear if this works for you.

Re: call the secure service using cHttp component

Anonymous — Fri, 25 Feb 2022 14:40:47 GMT

Sorry, I see I pointed you back to the same link you provided and said it didn't work. I presume that you compiled your route and added it to the runtime to test this? If not, that is what you need to do. Also, try out the Studio preferences method I posted. After you have created your keystore, that is quickest way to test this in the Studio.

Re: call the secure service using cHttp component

user19 — Mon, 28 Feb 2022 11:22:08 GMT

Thank you for your replv. I tested the given links but error persist. Here I am having few question regarding the https://help.talend.com/r/hXruAwZmhJU0BQ2h3iGBiA/DbpuITII8XRTBPM1nfmC8A

tlsClientParameters.trustManager.keystore.file is an issuer certificate which is a .cer file (just a x.509 certificate) which is validating client certificate and have no private key. "tlsClientParameters.keyManager.keystore.file" is certificate which client provides us to access the webservice and is in .pfx format. Then why there is " "tlsClientParameters.trustManagers.keyPassword " when there is no private key of trustManager.
for url = https:// do we have to provide the complete URL of the service? like I have Https://prod-server/atp/api/login so I just need prod-server.* or need to enter the complete url
I am using talend 7.3 and by default i have "tlsClientParameters.cipherSuitesFilter.include = .*_WITH_AES_.* " but in doc it is different do I need to change it?

Please if you can clear these points.

Re: call the secure service using cHttp component

user19 — Mon, 28 Feb 2022 12:02:18 GMT

I build it and pplaces the .kar file in production runtime deployed folder. I did not add keystore component in studio as I am not testing it in the studio directly.

Re: call the secure service using cHttp component

Anonymous — Mon, 28 Feb 2022 12:09:51 GMT

OK, dealing with certificates in Java can be really quite tricky. In fact, it is my opinion that the strength of many standard security mechanisms across all domains is largely aided by the complexity of configuring them. Even if you have the right to access many, it is still hard. I have been through this a number of times.

First of all, did you add our .cer file to a keystore? If not, this must be done. You can find instructions on doing this here...

https://help.talend.com/r/en-US/8.0/access-secure-services-with-studio-and-runtime/accessing-secure-services-using-talend-studio-and-talend-runtime

Look for the section with the title "Converting SSL certificates to Java KeyStore". If you have already done this, sorry for mentioning it again. But this is important. You talk about a .cer file in relation to the tlsClientParameters.trustManager.keystore.file. This will be a keystore file which is a jks file that you create by doing the above.

More detail about the http-conduit file can be found here....

https://help.talend.com/r/en-US/8.0/esb-container-administration-guide/http-conduit-osgi-configuration-parameters

Your url question is covered there.

For the tlsClientParameters.cipherSuitesFilter.include value, I would leave it as the default for now.

If this doesn't get you any further, I would recommend raising a support call. This isn't a problem with Talend as such, more the complexity of the Java certificate handling. Once it is working, it is practically bullet proof, but getting it configured correctly can be a bit of a nightmare.

https://help.talend.com/r/en-US/8.0/esb-container-administration-guide/osgi-configuration-files

Re: call the secure service using cHttp component

user19 — Mon, 28 Feb 2022 13:41:08 GMT

now I followed all steps as mentioned in doc but still same error. my point was "tlsClientParameters.trustManagers.keyPassword" should be private key password and in doc storepass is password of truststore password. or do I understood wrong? because for tlsClientParameters.keyManagers.keyPassword I am entering password of private key. is it wrong?

secondly when I tried to add preferences in studio i got error ""Failed to load the SSL configuration!" Is it because I don't have tsetkeytore component or is it some other issue.

Re: call the secure service using cHttp component

Anonymous — Mon, 28 Feb 2022 14:29:46 GMT

Take a look at this page.....

https://cxf.apache.org/docs/tls-configuration.html

This explains all about the Apache Karaf configuration requirements for certificates.

The Key Managers configuration item is used to retrieve key information. It is required for a Server, but is only required for a Client when the Server requires Client Authentication. So if you are exposing a web service using HTTPS OR if the service you are calling requires Client Authentication. From what you have said, I don't think this is needed.

The Trust Managers configuration item is used to validate trust in peer X.509 certificates. It is required for both Servers and Clients. I think this is what you need to focus on here.

The password fields you speak of are for the password of your keystore, they are nothing to do with the certificates.

Re: call the secure service using cHttp component

user19 — Tue, 01 Mar 2022 10:22:03 GMT

Thankyou for your detailed ans and time. This time I tried to add some non existing keystores and wrong passwords. but it is throwing same error and in log files there is no info that keystore doesnot exist or passwords are wrong. Maybe it is not picking counduit-common file at all. Is there any way to check that if it is picking the file ?

Re: call the secure service using cHttp component

Anonymous — Tue, 01 Mar 2022 14:07:19 GMT

Whereabouts is your keystore located on your machine with the Karaf running and how have you pointed to it in the conduit-common file?

Re: call the secure service using cHttp component

user19 — Tue, 01 Mar 2022 14:54:18 GMT

they are stored in etc\keystore lets say C:\Talend\esb\container\etc\keystores\truststore.jks and in conduit I configured it as

tlsClientParameters.trustManagers.keyStore.file = ./etc/keystores/truststore.jks

Re: call the secure service using cHttp component

Anonymous — Tue, 01 Mar 2022 16:16:46 GMT

Sorry about the delay in getting back to you. I've been trying a few things out. I don't suppose you are using a public service that I could attempt to test against are you?

In the meantime, can you try adding .....

${karaf.etc}/keystores/truststore.jks

....as your truststore path?

Also, can you show me the full file (removing passwords or any sensitive data)? I need to see as close to exactly what you are working with.

Re: call the secure service using cHttp component

user19 — Wed, 02 Mar 2022 08:53:10 GMT

@Richard Hall ok. so I design a route in studio as shown in first screenshot. Then i build the root and put the .kar file in deploy folder to test it. I followed the given link by skipping the step where they tsetkeystore component in studio. I put my keystores in etc/keystore and directly changed the conduit file as followed.restart the runtime and call the service in SOAP UI

it throws following error

Re: call the secure service using cHttp component

Anonymous — Wed, 02 Mar 2022 11:59:32 GMT

From what you have said, all you should need is this......

url = https://test_endpoint.*

tlsClientParameters.disableCNCheck = true

tlsClientParameters.trustManagers.keyStore.type = JKS

tlsClientParameters.trustManagers.keyStore.password = keystorepassword

tlsClientParameters.trustManagers.keyStore.file = ${karaf.etc}/keystores/truststore.jks

There should be no need for a trustManagers.keyPassword here.

What does the service provider's API documentation say about the certificates? Did you get the certificate and add it to your keystore in the way described in the documentation I provided or did you do it in a different way?

Can you test your truststore.jks file in the Studio as I showed in my first post. This is just to see whether the truststore.jks is configured correctly.

Re: call the secure service using cHttp component

user19 — Wed, 02 Mar 2022 12:39:02 GMT

@Richard Hall so do you mean even I don't need keyManagers?

before I ceated the keystores with keyexplorer tool but later I recreate them according to documentation.

yes I tested the truststore instudio if I just add the truststore then it is fine but if I add the keystore then it gives error

Re: call the secure service using cHttp component

Anonymous — Wed, 02 Mar 2022 15:27:04 GMT

Have you tested the service in Studio with just the truststore? That is what I wanted to see. However, the failure here when you add the keystore is interesting. Test the service in Studio with just the truststore. If that works, then hash the keystore lines out of the conduits file and test in the runtime.

This suggests that there is something wrong with your keystore....but I don't believe you need that for this.

Re: call the secure service using cHttp component

user19 — Fri, 04 Mar 2022 08:45:26 GMT

@Richard Hall here the issue is that I can't directly test it in studio. I always got error that certificate is required even though I am using certificate. But I test it with just trust certificate in runtime and have same error.

Re: call the secure service using cHttp component

Anonymous — Fri, 04 Mar 2022 12:43:17 GMT

Where did you get the certificate from? Did you get it by following the documentation I sent you. For example, by loading the site via a web browser and then taking the certificate from there? Or were you given the certificate? If you were given the certificate, you need to speak to the person who gave it to you to ask why this is causing issues.

Unless I have access to the service, I cannot help here I am afraid. It is impossible for me to work through this unless I can try it out myself.