Solved: Enabling client authentication for SSL and Configu... - Qlik Community

Anonymous · ‎2019-11-18

Hi community,

As described in the title of this topic, the two solutions described in the title of this topic don't work in my environment :

Enabling client authentication for SSL :

I tried to reproduce exactly the example given in the talend help https://help.talend.com/reader/yovCMqvJzyaSSSIdrlB4FQ/HlVXm6zYbAL14q4Lq84a1w , when i call my rest service from Chrome, Firefox, CURL or Postman after adding the client certificate it always show me "BAD CERTIFICATE", i added our certificate Authority and restarted karaf, always the same error message "BAD CERTIFICATE"

Configuring jetty for SSL :

As the first solution did not work for me, i tried the second solution by modifying the jetty.xml file and tested the one way ssl for example as described here : https://help.talend.com/reader/yovCMqvJzyaSSSIdrlB4FQ/xWGGon_HvMs8tUG8RhStDQ , after restarting karaf i'm not able to call the rest service.

here is my talend rest service used for the tests :

My first try by modifying the org.ops4j.pax.web.cfg and restarting karaf:

My second try by modifying the jetty.xml file and adding my connector and restarting karaf:

Any answer, suggestion would be very appreciated.

Thank you in advance.

Anonymous · ‎2019-12-02

I have raised the v7.2 issue as well. Thank you for pointing it out.

Regarding your new question, could you raise a new question please? That is the sort of thing that might be quite useful to others, but can get lost when it is added to the end of another question.

View solution in original post

Anonymous · ‎2019-11-21

How are you creating your certificates and keystores? This is usually a cause of this sort of issue. You will also need to make sure that your trusted certificate is configured in your browser. This link should help you https://help.talend.com/reader/yovCMqvJzyaSSSIdrlB4FQ/YS2qpyciSmqGw1eFT08J1Q

Anonymous · ‎2019-11-23

Hi,

Thank you for your answer and the link.

Iam using this link for settings and trying to reproduce exactly the same examples given, however, it doesn't work (iam using keytool and generting exactly the same certificates given in this link).

I tried to do this in 2 computers with TOS for esb 7.1.2 (OS : Windows10, Antivirus : Nod32 disabled and firewall also).

Thank you for your help

Anonymous · ‎2019-11-24

Are you creating your certificate from scratch or trying to use one issued by a certification authority (like GoDaddy.com)? Certificates are a nightmare to work with and configure. I know that this does work, bit it might be you are leaving out some information

Anonymous · ‎2019-11-24

Iam creating my certificate from scratch exactly as follow (if this example works, il wil use the certificate authority later) :

Enabling client authentication for SSL

To exchange certificates and allow only "trusted" clients to use the Talend Runtime Container HTTP service, you need to follow the following instructions.

Enable the HTTP client auth support in the Karaf-based Talend Runtime Container.
When you install the HTTP feature, the container leverages Pax-Web to provide HTTP OSGi service:
```
karaf@trun> feature:install http
```
Add a customfile with the following content:

<

To see the whole post, download it here
OriginalPost.pdf

Anonymous · ‎2019-11-25

I noticed a couple of mistakes in this documentation or in your copying of them.

Two keystores are created using these commands....

keytool -genkey -keyalg RSA -validity 365 -alias serverkey -keypass password -storepass password -keystore keystore.jks
keytool -genkey -keyalg RSA -validity 365 -alias clientkey -keypass password -storepass password -keystore client.jks

You then used these commands to export your client certificate and import it into the server keystore...

keytool -export -rfc -keystore clientKeystore.jks -storepass password -alias clientkey -file client.cer
keytool -import -trustcacerts -keystore keystore.jdk -storepass password -alias clientkey -file client.cer

The clientKeystore.jks should be client.jks and keystore.jdk looks like a typing error with jdk instead of jks.

Anonymous · ‎2019-11-25

Hi,

Yes there is a couple of mistakes in talend documentation and i corrected it before setting my environment but alway the same error :

Here is the import of my certificate (with success) in google chrome for example :

And the error :

Anonymous · ‎2019-11-25

Sorry about the delay in getting back to you. I have installed the runtime and have been trying this out myself. It appears that either something in the product has changed, requiring an update to the documentation, or something has broken. I know that this has worked prior to v7.1 as I used it on several projects with v6. I have therefore raised this as a bug. I am not sure how long it will take to get a response, but I know the team who will be looking at this first, so will try and make sure it is elevated in their list of priorities.

Anonymous · ‎2019-11-26

Hi,

Thank you so much for your feedback and reactivity.

If it is possible, what is the version (6.x) you used in your projects and works well ? may be i can use it for the moment and back to latest version after the bug fix or the documentation will be updated.

regards

Anonymous · ‎2019-11-26

I believe the last version I used this successfully with was v6.2. However, I am unsure about what is preventing this from working. I am suspicious as to whether there is something requiring a certificate authority now, which wasn't a requirement in the past. The error I was getting when I tried this was not descriptive enough for me to definitely point to this, but it certainly didn't rule it out. I'll carry on looking into this and if I find something, get back to you.

Enabling client authentication for SSL and Configuring jetty for SSL don't work

Other

REST

v7.x