Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Introducing Qlik Answers: A plug-and-play, Generative AI powered RAG solution. READ ALL ABOUT IT!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Dave5
Contributor II
Contributor II
‎2022-06-28 02:59 PM

SSL setup JKS issues for runtime server

I am using the Talend ESB system and I am trying to setup SSL on my runtime server.

I was able to setup SSL (incorrectly) with a Wildcard cert that I imported to the JKS (Java Key Store). When I started testing I noticed I was getting a warning reading: `Warning: Unable to verify the first certificate`.

0695b00000Sqk9eAAB.png

I looked into it and is seemed like I was missing an intermediate certificate in my keystore. So I questioned the method I used to import the keypair into my .JKS file. I ended up doing a second import of the PFX file that was provided to me (it is from DigiCert, a trusted CA). This time, I noticed that the hierarchy seemed correct. I had the root, the intermediate, and our wildcard cert, as I should. I tested the validity and it passed the test! The original JKS file did not pass a validity test.

**So at this point it's important to know two things.**

- I used the same PFX file to import the cert into two different JKS files.

- The cert (keypair) that does not pass validity worked with warnings.

The painful thing I'm experiencing now is that I SHOULD just be able to replace the original file "keystore.jks" with the new JKS file which contains a valid cert key pair. But for some reason when I swap the files, and restart the Talend runtime service to trigger the change, the talend runtime does not work and I can't get any response at all when I try to reach the website services. It just times out. The Talend logs aren't showing me anything useful and I'm very confused why a cert keypair with warnings works, and a valid cert keypair doesn't start our system.

Any help would be appreciated! I don't know where to look to troubleshoot this.

0695b00000Sqk9yAAB.png

0695b00000SqkADAAZ.png

Labels (3)
Labels
424 Views
1 Solution

Accepted Solutions
Dave5
Contributor II
Contributor II
‎2022-07-26 11:32 AM
Author

@Richard Hall​ Thank you for the suggestion on SSL debugging. I did that, and noticed the following issue in the testb.log:

 

java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.

 

I did some searching online and found this solution on Stack Overflow

 

The issue was that I wasn't using the certificate's password in the org.ops4j.pax.web.cfg file. I wasn't aware that the cert's password had to be used in this config file (something critical to note in this Talend tutorial maybe).

 

Once I changed the password in the config file to be the same as the certificate's password, my multi-layer cert jks worked.

View solution in original post

424 Views
0 Likes
8 Replies
Anonymous
Not applicable
‎2022-07-03 11:15 PM

Hello,

Here is a way to configure Server-SSL for Talend Runtime installations

Please follow the description:

https://help.talend.com/r/en-US/8.0/esb-container-administration-guide/ssl-configuration

Note:

  • org.ops4j.pax.web.cfg - configruations for service provider
  • conduit-xxx.cfg - configruations for service consumer, e.g calling a 3rd-party endpoint from a deployed tRESTClient job in container

they are different purpose

 

If you want to have the SSL related passwords encrypted in the configuration file (org.ops4j.pax.web.cfg).

https://help.talend.com/r/en-US/8.0/esb-container-administration-guide/enabling-password-encryption

Hope it helps.

Best regards

Sabrina

424 Views
0 Likes
Dave5
Contributor II
Contributor II
‎2022-07-07 01:13 PM
Author

In response to Anonymous

Thanks Sabrina. I have followed this (except the 7.3 version). My question is more about why the correct key pair doesn't work, and why the keypair that's missing two levels of certs does work.

 

Though one key pair "works" it gives a warning because it can't validate the cert without the other two (intermediate and root) certs. When I use a keypair that has all three certs, Talend Runtime doesn't start correctly. The service says it's running, but we can't see the services list from a browser, or make any API calls and I can't find out why.

 

My organization contracted professional services from Talend and we spent 4 hours re-creating the steps we already did and we didn't get any progress. I am hoping someone can help in the community instead.

424 Views
0 Likes
Anonymous
Not applicable
‎2022-07-08 12:12 AM

In response to Dave5

Hello,

Thanks for your feedback.

I have redirected your issue to our ESB runtime expert from R&D team and will come back to you as soon as we can.

Best regards

Sabrina

424 Views
0 Likes
Anonymous
Not applicable
‎2022-07-18 08:00 AM

@Dave Tessier​ I have just seen this and am curious as to whether you have tried removing the old certs (the broken one you tried first) from the browser cache? This could be causing your issues.

424 Views
0 Likes
Dave5
Contributor II
Contributor II
‎2022-07-18 10:37 AM
Author

In response to Anonymous

Hi @Richard Hall​ 

 

Yes, I've tried that. Typically I am testing my REST API calls VIA Postman, but I also use SOAPUI and Browsers to check various info on the Certs for troubleshooting.

 

When I use the Cert that should work (the one with all three levels), the Windows service for our on-prem Talend Runtime (7.3) starts, but any API calls made time out.

 

Thank you.

424 Views
0 Likes
Anonymous
Not applicable
‎2022-07-18 11:37 AM

In response to Dave5

Have you tried switching on the standard Java SSL debugging to see what is potentially causing this issue? Here is a link which shows how to do this.....

 

https://access.redhat.com/solutions/973783

 

 

424 Views
0 Likes
Dave5
Contributor II
Contributor II
‎2022-07-26 11:32 AM
Author

@Richard Hall​ Thank you for the suggestion on SSL debugging. I did that, and noticed the following issue in the testb.log:

 

java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.

 

I did some searching online and found this solution on Stack Overflow

 

The issue was that I wasn't using the certificate's password in the org.ops4j.pax.web.cfg file. I wasn't aware that the cert's password had to be used in this config file (something critical to note in this Talend tutorial maybe).

 

Once I changed the password in the config file to be the same as the certificate's password, my multi-layer cert jks worked.

425 Views
0 Likes
Anonymous
Not applicable
‎2022-07-27 08:18 AM

In response to Dave5

Thanks so much for letting us know about your solution! This will help loads of other people I am sure. Sorry I was not able to give you more help, but security can be really tricky if you don't have direct access to try stuff out.

 

I sometimes think that a large component of security strength in computer science is the obfuscation of the implementation and documentation of the libraries that are used 😉

424 Views
0 Likes