ADLS Gen2 connection issues when private link used, and replicate installed on Azure VM

Environment

Qlik Replicate 

You can see the below error when Qlik Replicate cannot find an appropriate SSL certificate:

JAVA_EXCEPTION, message: 'java.util.concurrent.ExecutionException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target'

Follow these steps to add certificates to replicate JVM Keystore:

Before you get started, make sure your storage account Private endpoint Target sub-resource is “dfs” (it shouldn’t be blob for ADLS Gen2) just to make sure check the server log file and you can see the below error message including the certificate error:

[SERVER          ]E:  Failed to connect to Data lake store name 'https://<storageaccountname>.dfs.core.windows.net'

Resolution:

Run below 2 OpenSSL commands from the replicate machine and we should see a complete certificate chain with no issues. If you have trouble getting certificates using OpenSSL then there could be firewall issues and it must be resolved.

openssl s_client -connect login.microsoftonline.com:443 -showcerts

openssl s_client -connect <storageaccountname>.dfs.core.windows.net:443 -showcerts

If you can runthe openSSL showcerts command with no issues, then follow the below steps to generate certificates in pem format:

Replicate on Windows:

openssl s_client -servername login.microsoftonline.com -connect login.microsoftonline.com:443 < nul | openssl x509 -outform pem > microsoftonline.pem

openssl s_client -servername <storageaccountname>.dfs.core.windows.net -connect <storageaccountname>.dfs.core.windows.net:443 < nul | openssl x509 -outform pem > <storageaccountname>_dfs.pem

Replicate on Linux:

openssl s_client -servername login.microsoftonline.com -connect login.microsoftonline.com:443 < /dev/null | openssl x509 -outform pem > microsoftonline.pem

openssl s_client -servername <storageaccountname>.dfs.core.windows.net -connect <storageaccountname>.dfs.core.windows.net:443 < /dev/null | openssl x509 -outform pem > <storageaccountname>_dfs.pem

Finally, we need to import the above certificates to replicate JVM Keystore(cacerts). Copy above 2 pem files to jvm\bin and run below keytool commands. Adjust the paths based on your OS environment.

..\Attunity\Replicate\jvm\bin> keytool -import -noprompt -trustcacerts -alias microsoftonline -file microsoftonline.pem -keystore .. \Attunity\Replicate\jvm\lib\security\cacerts

..\Attunity\Replicate\jvm\bin> keytool -import -noprompt -trustcacerts -alias <storageaccountname>_dfs -file <storageaccountname>_dfs.pem -keystore .. \Attunity\Replicate\jvm\lib\security\cacerts

If you want to list and see the imported certificates, then you can use the below command.

..\Attunity\Replicate\jvm\bin> keytool -list -v -keystore .. \Attunity\Replicate\jvm\lib\security\cacerts

Note:

1. you need to replace <storageaccountname> with your storage account name.
2. keytool default password is changeit (all are small letters in passwords)