topic Re: SSL setup JKS issues for runtime server in Installing and Upgrading

SSL setup JKS issues for runtime server

Dave5 — Fri, 15 Nov 2024 22:46:55 GMT

I am using the Talend ESB system and I am trying to setup SSL on my runtime server.

I was able to setup SSL (incorrectly) with a Wildcard cert that I imported to the JKS (Java Key Store). When I started testing I noticed I was getting a warning reading: `Warning: Unable to verify the first certificate`.

I looked into it and is seemed like I was missing an intermediate certificate in my keystore. So I questioned the method I used to import the keypair into my .JKS file. I ended up doing a second import of the PFX file that was provided to me (it is from DigiCert, a trusted CA). This time, I noticed that the hierarchy seemed correct. I had the root, the intermediate, and our wildcard cert, as I should. I tested the validity and it passed the test! The original JKS file did not pass a validity test.

**So at this point it's important to know two things.**

- I used the same PFX file to import the cert into two different JKS files.

- The cert (keypair) that does not pass validity worked with warnings.

The painful thing I'm experiencing now is that I SHOULD just be able to replace the original file "keystore.jks" with the new JKS file which contains a valid cert key pair. But for some reason when I swap the files, and restart the Talend runtime service to trigger the change, the talend runtime does not work and I can't get any response at all when I try to reach the website services. It just times out. The Talend logs aren't showing me anything useful and I'm very confused why a cert keypair with warnings works, and a valid cert keypair doesn't start our system.

Any help would be appreciated! I don't know where to look to troubleshoot this.

Re: SSL setup JKS issues for runtime server

Anonymous — Mon, 04 Jul 2022 03:15:54 GMT

Hello,

Here is a way to configure Server-SSL for Talend Runtime installations

Please follow the description:

https://help.talend.com/r/en-US/8.0/esb-container-administration-guide/ssl-configuration

Note:

org.ops4j.pax.web.cfg - configruations for service provider
conduit-xxx.cfg - configruations for service consumer, e.g calling a 3rd-party endpoint from a deployed tRESTClient job in container

they are different purpose

If you want to have the SSL related passwords encrypted in the configuration file (org.ops4j.pax.web.cfg).

https://help.talend.com/r/en-US/8.0/esb-container-administration-guide/enabling-password-encryption

Hope it helps.

Best regards

Sabrina

Re: SSL setup JKS issues for runtime server

Dave5 — Thu, 07 Jul 2022 17:13:53 GMT

Thanks Sabrina. I have followed this (except the 7.3 version). My question is more about why the correct key pair doesn't work, and why the keypair that's missing two levels of certs does work.

Though one key pair "works" it gives a warning because it can't validate the cert without the other two (intermediate and root) certs. When I use a keypair that has all three certs, Talend Runtime doesn't start correctly. The service says it's running, but we can't see the services list from a browser, or make any API calls and I can't find out why.

My organization contracted professional services from Talend and we spent 4 hours re-creating the steps we already did and we didn't get any progress. I am hoping someone can help in the community instead.

Re: SSL setup JKS issues for runtime server

Anonymous — Fri, 08 Jul 2022 04:12:53 GMT

Hello,

Thanks for your feedback.

I have redirected your issue to our ESB runtime expert from R&D team and will come back to you as soon as we can.

Best regards

Sabrina

Re: SSL setup JKS issues for runtime server

Anonymous — Mon, 18 Jul 2022 12:00:57 GMT

@Dave Tessier I have just seen this and am curious as to whether you have tried removing the old certs (the broken one you tried first) from the browser cache? This could be causing your issues.

Re: SSL setup JKS issues for runtime server

Dave5 — Mon, 18 Jul 2022 14:37:55 GMT

Hi @Richard Hall

Yes, I've tried that. Typically I am testing my REST API calls VIA Postman, but I also use SOAPUI and Browsers to check various info on the Certs for troubleshooting.

When I use the Cert that should work (the one with all three levels), the Windows service for our on-prem Talend Runtime (7.3) starts, but any API calls made time out.

Thank you.

Re: SSL setup JKS issues for runtime server

Anonymous — Mon, 18 Jul 2022 15:37:33 GMT

Have you tried switching on the standard Java SSL debugging to see what is potentially causing this issue? Here is a link which shows how to do this.....

https://access.redhat.com/solutions/973783

Re: SSL setup JKS issues for runtime server

Dave5 — Tue, 26 Jul 2022 15:32:58 GMT

@Richard Hall Thank you for the suggestion on SSL debugging. I did that, and noticed the following issue in the testb.log:

java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.

I did some searching online and found this solution on Stack Overflow

The issue was that I wasn't using the certificate's password in the org.ops4j.pax.web.cfg file. I wasn't aware that the cert's password had to be used in this config file (something critical to note in this Talend tutorial maybe).

Once I changed the password in the config file to be the same as the certificate's password, my multi-layer cert jks worked.

Re: SSL setup JKS issues for runtime server

Anonymous — Wed, 27 Jul 2022 12:18:24 GMT

Thanks so much for letting us know about your solution! This will help loads of other people I am sure. Sorry I was not able to give you more help, but security can be really tricky if you don't have direct access to try stuff out.

I sometimes think that a large component of security strength in computer science is the obfuscation of the implementation and documentation of the libraries that are used 😉