Re: call the secure service using cHttp component - Qlik Community

user19 · ‎2022-02-25

Hello,

I am trying to call a secure (Https) backend using cHttp component in a route. but When I send a call I got following error.

Error 500 org.apache.cxf.interceptor.Fault: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target while invoking public abstract java.lang.Object

I tried https://help.talend.com/r/NUuq0nJiWNDq5Yi0HIGnzw/JgJYEYfycI59q9PCxukDHQ but it didn't work.

how can I call the Https? Any help would be appreciated.

Anonymous · ‎2022-02-25

OK, I believe that this is due to you not having the correct certificates configured in a keystore for the server you are trying to access. Your web browser will do this for you when you access an https site. But we have to do this manually. This process is explained here.....

https://help.talend.com/r/hXruAwZmhJU0BQ2h3iGBiA/DbpuITII8XRTBPM1nfmC8A

....but it then tells you how to use it with a service in a Talend job. You want to use it with a route. I believe the best way to attempt this is to set up a local runtime on your machine and test the route through that. You can configure the keystore with the runtime like this.....

https://help.talend.com/r/tez87K9J65Ah64Rult_SAQ/peRqMypwHzLvNuiqzCugzg

.....then you can run your route through the runtime. However, this will not give you the best debugging experience. But you will need to have this config in your production runtime.

To test in the Studio, go to preferences and you can set up a keystore for testing here....

I haven't done this in a long while, so I can't guarantee that this will work for you OR that this is your problem. I believe it is your problem and this is the first thing I would attempt to sort it.

I'd be interested to hear if this works for you.

Anonymous · ‎2022-02-25

Sorry, I see I pointed you back to the same link you provided and said it didn't work. I presume that you compiled your route and added it to the runtime to test this? If not, that is what you need to do. Also, try out the Studio preferences method I posted. After you have created your keystore, that is quickest way to test this in the Studio.

user19 · ‎2022-02-28

Thank you for your replv. I tested the given links but error persist. Here I am having few question regarding the https://help.talend.com/r/hXruAwZmhJU0BQ2h3iGBiA/DbpuITII8XRTBPM1nfmC8A

tlsClientParameters.trustManager.keystore.file is an issuer certificate which is a .cer file (just a x.509 certificate) which is validating client certificate and have no private key. "tlsClientParameters.keyManager.keystore.file" is certificate which client provides us to access the webservice and is in .pfx format. Then why there is " "tlsClientParameters.trustManagers.keyPassword " when there is no private key of trustManager.
for url = https:// do we have to provide the complete URL of the service? like I have Https://prod-server/atp/api/login so I just need prod-server.* or need to enter the complete url
I am using talend 7.3 and by default i have "tlsClientParameters.cipherSuitesFilter.include = .*_WITH_AES_.* " but in doc it is different do I need to change it?

Please if you can clear these points.

user19 · ‎2022-02-28

I build it and pplaces the .kar file in production runtime deployed folder. I did not add keystore component in studio as I am not testing it in the studio directly.

Anonymous · ‎2022-02-28

OK, dealing with certificates in Java can be really quite tricky. In fact, it is my opinion that the strength of many standard security mechanisms across all domains is largely aided by the complexity of configuring them. Even if you have the right to access many, it is still hard. I have been through this a number of times.

First of all, did you add our .cer file to a keystore? If not, this must be done. You can find instructions on doing this here...

https://help.talend.com/r/en-US/8.0/access-secure-services-with-studio-and-runtime/accessing-secure-services-using-talend-studio-and-talend-runtime

Look for the section with the title "Converting SSL certificates to Java KeyStore". If you have already done this, sorry for mentioning it again. But this is important. You talk about a .cer file in relation to the tlsClientParameters.trustManager.keystore.file. This will be a keystore file which is a jks file that you create by doing the above.

More detail about the http-conduit file can be found here....

https://help.talend.com/r/en-US/8.0/esb-container-administration-guide/http-conduit-osgi-configuration-parameters

Your url question is covered there.

For the tlsClientParameters.cipherSuitesFilter.include value, I would leave it as the default for now.

If this doesn't get you any further, I would recommend raising a support call. This isn't a problem with Talend as such, more the complexity of the Java certificate handling. Once it is working, it is practically bullet proof, but getting it configured correctly can be a bit of a nightmare.

https://help.talend.com/r/en-US/8.0/esb-container-administration-guide/osgi-configuration-files

user19 · ‎2022-02-28

now I followed all steps as mentioned in doc but still same error. my point was "tlsClientParameters.trustManagers.keyPassword" should be private key password and in doc storepass is password of truststore password. or do I understood wrong? because for tlsClientParameters.keyManagers.keyPassword I am entering password of private key. is it wrong?

secondly when I tried to add preferences in studio i got error ""Failed to load the SSL configuration!" Is it because I don't have tsetkeytore component or is it some other issue.

Anonymous · ‎2022-02-28

Take a look at this page.....

https://cxf.apache.org/docs/tls-configuration.html

This explains all about the Apache Karaf configuration requirements for certificates.

The Key Managers configuration item is used to retrieve key information. It is required for a Server, but is only required for a Client when the Server requires Client Authentication. So if you are exposing a web service using HTTPS OR if the service you are calling requires Client Authentication. From what you have said, I don't think this is needed.

The Trust Managers configuration item is used to validate trust in peer X.509 certificates. It is required for both Servers and Clients. I think this is what you need to focus on here.

The password fields you speak of are for the password of your keystore, they are nothing to do with the certificates.

user19 · ‎2022-03-01

Thankyou for your detailed ans and time. This time I tried to add some non existing keystores and wrong passwords. but it is throwing same error and in log files there is no info that keystore doesnot exist or passwords are wrong. Maybe it is not picking counduit-common file at all. Is there any way to check that if it is picking the file ?

Anonymous · ‎2022-03-01

Whereabouts is your keystore located on your machine with the Karaf running and how have you pointed to it in the conduit-common file?

call the secure service using cHttp component

SOAP

Studio

v7.x