topic SSLHandshakeException in tRestClient in Talend Studio

SSLHandshakeException in tRestClient

Anonymous — Mon, 20 Mar 2017 09:11:23 GMT

Hi. I have been trying to get tRestClient to work with our corporate API (which I have got working with postman - so I know it works the expected way). I have a tSetKeyStore connected to tRestClient on SubJob OK, then a tLogRow connected to that as Main so I can see what happens. What happens is that I get SSLHandshakeException. I have dredged the web for info on this and talked to our API developers and the only thing I can point to is that the tSetKeyStore isn't passing the correct certificate info. I have the certificate for the API domain in cacerts and have input the correct password. The API does not expect client authentication so I have not supplied by own certificate (although I tried that too and it still failed). The errors I get are quite lengthy, but the first chunk is pasted below (API domain changed to "mydomain" for privacy).
I am running TOS for DI version 6.1.1, Java 1.8.0_91.
Can someone please advise? Is there perhaps a JVM argument I can supply which will override whatever is stopping this?
Thanks, Charlie
connecting to socket on port 3767
connected
: org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for { https://api.mydomain.io/1.0/token}tRESTClient has thrown exception, unwinding now
org.apache.cxf.interceptor.Fault: Could not send Message.
at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:64)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
at org.apache.cxf.jaxrs.client.AbstractClient.doRunInterceptorChain(AbstractClient.java:649)
at org.apache.cxf.jaxrs.client.WebClient.doChainedInvocation(WebClient.java:1093)
at org.apache.cxf.jaxrs.client.WebClient.doInvoke(WebClient.java:894)
at org.apache.cxf.jaxrs.client.WebClient.doInvoke(WebClient.java:865)
at org.apache.cxf.jaxrs.client.WebClient.invoke(WebClient.java:428)
at org.apache.cxf.jaxrs.client.WebClient.get(WebClient.java:611)
at local_project.myapijob_0_1.myapijob.tRESTClient_2Process(myapijob.java:772)
at local_project.myapijob_0_1.myapijob.tSetKeystore_1Process(myapijob.java:1073)
at local_project.myapijob_0_1.myapijob.runJobInTOS(myapijob.java:1306)
at local_project.myapijob_0_1.myapijob.main(myapijob.java:1151)
Caused by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://api.mydomain.io/1.0/token: Received fatal alert: handshake_failure
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1376)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1360)
at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:651)
at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
... 11 more

Re: SSLHandshakeException in tRestClient

Anonymous — Tue, 21 Mar 2017 07:28:04 GMT

Hi,
We suppose that there is something wrong with you when you add certficates in local Java KeyStore.
Could you please take a look at this document to see if it is Ok with you?
https://www.chrissearle.org/2007/10/25/Adding_self-signed_https_certificates_to_java_keystore/

Best regards
Sabrina

Re: SSLHandshakeException in tRestClient

Anonymous — Tue, 21 Mar 2017 09:14:10 GMT

Thanks for the reply Sabrina. There probably is something wrong with me but I don't think it's the certificates. I have added the certificate for the api domain into cacerts and put that in the tSetKeyStore as the TrustStore file. To make sure it is in cacerts, I ran keytool -list on cacerts and it confirmed that it is a trsutedCertEntry with valid to and from dates. The api does not require me to supply my certificate so it can authorise me, but I have tried that anyway (as KeyStore file in tSetKeyStore) an it made no difference.
Interestingly, if I run it in java debug mode it says that there are error and asks if I want to proceed (this is of interest because there are no compile errors when I run it normally). Then if I proceed in debug mode, it eventually outputs the api response I am after. So it seems to get the required response from the API in java debug mode, but run normally it fails!

Re: SSLHandshakeException in tRestClient

Anonymous — Wed, 22 Mar 2017 08:41:27 GMT

Hi,
Are you using Jre 1.8 instead of JDK 1.8? I see that your truststore file has been saved under C:\Program Files (x86)\Java\jre1.8.0_91\lib\security\cacerts.
Best regards
Sabrina

Re: SSLHandshakeException in tRestClient

Anonymous — Wed, 22 Mar 2017 14:11:17 GMT

Yes I am Sabrina. Should it be JDK then? I will look into that. All of the Talend development so far has been with this java stack, which is JRE.