Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Introducing Qlik Answers: A plug-and-play, Generative AI powered RAG solution. READ ALL ABOUT IT!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
ann-gaelle
Contributor III
Contributor III
‎2022-08-19 08:25 AM

[tRestClient] How to disable server identity verification

Hi everybody, 

 

I didn't find any post with the same issue. 

 

I'm doing a job where I call an external API with a tRestClient. My problem is that this API need to be call with an uri begginning by "https", or it will throw an error because the communication is not secure. But, the servor of the api has a certificate expired. 

 

On postman there isn't any problem, I just need to uncheck the "Enable SSL certificate Verification". I thought that in talend it would be the same, however, when I unchecked "Verify the server identity" (I am note sure it's the english name because I couldn't find this property in the doc 8.0 of talend ESB tRestClient). It's a parameter in the simple one, that will change the value of the variable "__CHECK_SERVER_IDENTITY__", I still got an error about the SSL Verification. Does anyone have an idea why ? And how can I really disable the ssl verification ? 

 

Here is my log if it can help

 

"

org.apache.cxf.interceptor.Fault: Could not send Message.

at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:67) ~[cxf-core-3.4.4.jar:3.4.4]

Caused by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://MYURIAPI: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed

at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]

at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]

at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]

...

... 10 more

Caused by: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed

at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]

at sun.security.ssl.TransportContext.fatal(TransportContext.java:349) ~[?:?]

... 10 more

 

Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed

at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:369) ~[?:?]

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:263) ~[?:?]

... 10 more

 

Caused by: java.security.cert.CertPathValidatorException: validity check failed

at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:224) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:144) ~[?:?]

... 10 more

 

Caused by: java.security.cert.CertificateExpiredException: NotAfter: Fri Jun 17 01:59:59 CEST 2022

at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:277) ~[?:?]

... 10 more

 

Exception in component tRESTClient_1 (NAMEOFMYJOB)

javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://MYURIAPI: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed

at org.apache.cxf.jaxrs.client.AbstractClient.checkClientException(AbstractClient.java:631)

at org.apache.cxf.jaxrs.client.AbstractClient.preProcessResult(AbstractClient.java:605)

Caused by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://MYURIAPI: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed

at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)

... 7 more

Caused by: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed

at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)

at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:349)

[INFO ] 14:00:32 org.apache.cxf.interceptor.LoggingInInterceptor- Inbound Message

----------------------------

ID: 1

Address: https://URIOFMYAPI

Http-Method: POST

Content-Type: application/json

Headers: {Content-Type=[application/json], Accept=[*/*], x-dw-client-id=[MYCLIENTID], Content-Length=[4270], Authorization=[Bearer TOKEN]}

--------------------------------------

at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1418)

... 16 more

 

Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed

at java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:369)

...

... 39 more

 

Caused by: java.security.cert.CertPathValidatorException: validity check failed

at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)

at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:224)

...

... 45 more

 

Caused by: java.security.cert.CertificateExpiredException: NotAfter: Fri Jun 17 01:59:59 CEST 2022

... 50 more

 

[statistics] disconnected

 

Job NAMEOFMYJOB terminé à 14:00 19/08/2022. [Code de sortie = 1]

"

 

Any help or advice will be appreciated, 

 

Thank you for your time, 

Labels (2)
Labels
1,041 Views
0 Likes
1 Solution

Accepted Solutions
Anonymous
Not applicable
‎2022-08-22 11:31 AM

In response to ann-gaelle

If this is your Salesforce instance you are trying to POST into, then Salesforce will help you here. This is an important update that is needed.

 

Regarding the tRESTClient and the "Check Server Identity" checkbox, I believe that this should work. I think you may have highlighted a bug and I have raised this. Unfortunately I cannot test this without finding a similar example of problem with a web service with an expired certificate.

 

There are a couple of things to try. You can test this with the tREST component. This may need a slight change in how you post your request. There is a POST box in the component which will need to be populated with a String representation of your POST JSON/XML. Alternatively you could try writing a very basic REST POST method in Java and call that with a tJavaFlex. That should give you the control to do this.

View solution in original post

1,041 Views
0 Likes
4 Replies
Anonymous
Not applicable
‎2022-08-22 09:57 AM

Do you own this API server? If so, I would recommend getting the certificate sorted. If not, is this an API you can tell us about so that we can take a look and see if we can find a workaround? It is very difficult to help with service issues when you cannot look at them yourself.

 

FYI I have raised a request to have the tRESTClient documentation updated with the details on the "Check Server Identity" option.

1,041 Views
0 Likes
ann-gaelle
Contributor III
Contributor III
‎2022-08-22 10:42 AM
Author

Hi @Richard Hall​ , thank you for your response. We don't own the API Server so we can't update the certifacte ourselves. However we did the resquest to the owner but they might not respond positively. It's the API SalesForces, and we are trying a Post SearchOrder (https://documentation.b2c.commercecloud.salesforce.com/DOC1/index.jsp?topic=%2Fcom.demandware.dochel...). Their certificate is expired since June it's what's causing the issue when we check the certificate. However I'm not sure it will help you because I can't give you the access. But I can show you what I tried under Postman vs my service, maybe it could enlight the issue.

 

Postman :

 

0695b00000UxJR4AAN.png0695b00000UxJRnAAN.pngAs you can see it works fine when you disable the ssl verification and do the request in https, I only made appear the two header I wrote myself to make it easier.

 

And here the configuration on Talend Studio if it can help.

0695b00000UxJbOAAV.png0695b00000UxJYoAAN.png 

 

I put nothing inside the Dynamic parameters. Again, sorry I can't really give you more about the issue.

 

The easiest workaround I thought of was to make an http request instead of https when the SSL certificate verification is enable.However, like we need to send a token to the API, it won't work. 0695b00000UxJUwAAN.png 

I think a work around would be to pass over the verification certificate inside a tjava ? But before doing that I wanted to be sure that I was not doing something wrong inside my tRestClient

 

Thank's for the request for the documentation, it could help

 

Have a nice day,

1,041 Views
0 Likes
Anonymous
Not applicable
‎2022-08-22 11:31 AM

In response to ann-gaelle

If this is your Salesforce instance you are trying to POST into, then Salesforce will help you here. This is an important update that is needed.

 

Regarding the tRESTClient and the "Check Server Identity" checkbox, I believe that this should work. I think you may have highlighted a bug and I have raised this. Unfortunately I cannot test this without finding a similar example of problem with a web service with an expired certificate.

 

There are a couple of things to try. You can test this with the tREST component. This may need a slight change in how you post your request. There is a POST box in the component which will need to be populated with a String representation of your POST JSON/XML. Alternatively you could try writing a very basic REST POST method in Java and call that with a tJavaFlex. That should give you the control to do this.

1,042 Views
0 Likes
ann-gaelle
Contributor III
Contributor III
‎2022-08-23 03:04 AM
Author

In response to Anonymous

Hi @Richard Hall​,

 

Thanks for your answer. If my tRestClient is probably well configured, i'll mark the post as resolved.

 

Thank's for all the idea to try, I'm gonna take a look at that 🙂

 

Have a nice day,

1,041 Views
0 Likes