topic Re: [tRestClient] How to disable server identity verification in Talend Studio

[tRestClient] How to disable server identity verification

ann-gaelle — Fri, 15 Nov 2024 22:38:13 GMT

Hi everybody,

I didn't find any post with the same issue.

I'm doing a job where I call an external API with a tRestClient. My problem is that this API need to be call with an uri begginning by "https", or it will throw an error because the communication is not secure. But, the servor of the api has a certificate expired.

On postman there isn't any problem, I just need to uncheck the "Enable SSL certificate Verification". I thought that in talend it would be the same, however, when I unchecked "Verify the server identity" (I am note sure it's the english name because I couldn't find this property in the doc 8.0 of talend ESB tRestClient). It's a parameter in the simple one, that will change the value of the variable "__CHECK_SERVER_IDENTITY__", I still got an error about the SSL Verification. Does anyone have an idea why ? And how can I really disable the ssl verification ?

Here is my log if it can help

org.apache.cxf.interceptor.Fault: Could not send Message.

at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:67) ~[cxf-core-3.4.4.jar:3.4.4]

…

Caused by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://MYURIAPI: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed

at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]

at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]

at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]

...

... 10 more

Caused by: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed

at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]

at sun.security.ssl.TransportContext.fatal(TransportContext.java:349) ~[?:?]

…

... 10 more

Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed

at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:369) ~[?:?]

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:263) ~[?:?]

…

... 10 more

Caused by: java.security.cert.CertPathValidatorException: validity check failed

at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:224) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:144) ~[?:?]

…

... 10 more

Caused by: java.security.cert.CertificateExpiredException: NotAfter: Fri Jun 17 01:59:59 CEST 2022

at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:277) ~[?:?]

…

... 10 more

Exception in component tRESTClient_1 (NAMEOFMYJOB)

javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://MYURIAPI: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed

at org.apache.cxf.jaxrs.client.AbstractClient.checkClientException(AbstractClient.java:631)

at org.apache.cxf.jaxrs.client.AbstractClient.preProcessResult(AbstractClient.java:605)

…

Caused by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://MYURIAPI: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed

at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)

... 7 more

Caused by: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed

at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)

at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:349)

…

[INFO ] 14:00:32 org.apache.cxf.interceptor.LoggingInInterceptor- Inbound Message

----------------------------

ID: 1

Address: https://URIOFMYAPI

Http-Method: POST

Content-Type: application/json

Headers: {Content-Type=[application/json], Accept=[*/*], x-dw-client-id=[MYCLIENTID], Content-Length=[4270], Authorization=[Bearer TOKEN]}

--------------------------------------

at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1418)

…

... 16 more

Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed

at java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:369)

...

... 39 more

Caused by: java.security.cert.CertPathValidatorException: validity check failed

at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)

at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:224)

...

... 45 more

Caused by: java.security.cert.CertificateExpiredException: NotAfter: Fri Jun 17 01:59:59 CEST 2022

... 50 more

[statistics] disconnected

Job NAMEOFMYJOB terminé à 14:00 19/08/2022. [Code de sortie = 1]

Any help or advice will be appreciated,

Thank you for your time,

Re: [tRestClient] How to disable server identity verification

Anonymous — Mon, 22 Aug 2022 13:57:01 GMT

Do you own this API server? If so, I would recommend getting the certificate sorted. If not, is this an API you can tell us about so that we can take a look and see if we can find a workaround? It is very difficult to help with service issues when you cannot look at them yourself.

FYI I have raised a request to have the tRESTClient documentation updated with the details on the "Check Server Identity" option.

Re: [tRestClient] How to disable server identity verification

ann-gaelle — Mon, 22 Aug 2022 14:42:08 GMT

Hi @Richard Hall , thank you for your response. We don't own the API Server so we can't update the certifacte ourselves. However we did the resquest to the owner but they might not respond positively. It's the API SalesForces, and we are trying a Post SearchOrder (https://documentation.b2c.commercecloud.salesforce.com/DOC1/index.jsp?topic=%2Fcom.demandware.dochelp%2FOCAPI%2Fcurrent%2Fusage%2FShopAPIDocuments.html). Their certificate is expired since June it's what's causing the issue when we check the certificate. However I'm not sure it will help you because I can't give you the access. But I can show you what I tried under Postman vs my service, maybe it could enlight the issue.

Postman :

As you can see it works fine when you disable the ssl verification and do the request in https, I only made appear the two header I wrote myself to make it easier.

And here the configuration on Talend Studio if it can help.

I put nothing inside the Dynamic parameters. Again, sorry I can't really give you more about the issue.

The easiest workaround I thought of was to make an http request instead of https when the SSL certificate verification is enable.However, like we need to send a token to the API, it won't work.

I think a work around would be to pass over the verification certificate inside a tjava ? But before doing that I wanted to be sure that I was not doing something wrong inside my tRestClient

Thank's for the request for the documentation, it could help

Have a nice day,

Re: [tRestClient] How to disable server identity verification

Anonymous — Mon, 22 Aug 2022 15:31:09 GMT

If this is your Salesforce instance you are trying to POST into, then Salesforce will help you here. This is an important update that is needed.

Regarding the tRESTClient and the "Check Server Identity" checkbox, I believe that this should work. I think you may have highlighted a bug and I have raised this. Unfortunately I cannot test this without finding a similar example of problem with a web service with an expired certificate.

There are a couple of things to try. You can test this with the tREST component. This may need a slight change in how you post your request. There is a POST box in the component which will need to be populated with a String representation of your POST JSON/XML. Alternatively you could try writing a very basic REST POST method in Java and call that with a tJavaFlex. That should give you the control to do this.

Re: [tRestClient] How to disable server identity verification

ann-gaelle — Tue, 23 Aug 2022 07:04:16 GMT

Hi @Richard Hall,

Thanks for your answer. If my tRestClient is probably well configured, i'll mark the post as resolved.

Thank's for all the idea to try, I'm gonna take a look at that 🙂

Have a nice day,