Do not input private or sensitive data. View Qlik Privacy & Cookie Policy.
Skip to main content

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik GA: Multivariate Time Series in Qlik Predict: Get Details
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
lguevara
Partner - Creator II
Partner - Creator II
3 weeks ago

thttpclient configure with certificate client

Hi,

 

I want to execute a POST method, but this use an Client Certificate for authenticate (Host, CRT file and KEY file).

Please How configure this using the component thttpclient in talend studio.

 

Thanks,

Labels (2)
Labels
226 Views
1 Solution

Accepted Solutions
Xiaodi_Shi
Employee
Employee
3 weeks ago

In response to lguevara

Hello @lguevara 

I'm supposing the error message you got looks like below?

Caused by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://xxxxxxxx.com/xxxapi:443: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Please make sure you did import the certificates into JVM/lib/security/cacerts used by Remote Engine.

When you're talking about running the job on a Remote Engine, it will always be best practice to use the tSetKeystore, and map that to a keystore/truststore on the instance in question.

Keystores are local to whichever instance the job is running on; the Studio settings for the keystore are only for Metadata connections, and only stay on that specific studio instance.

You should set your own expectations that a keystore/truststore should be created on the instance where the RE resides, and should contain all other required certs for the jobs in question.

Best regards

Sabrina

 

 

View solution in original post

180 Views
0 Likes
5 Replies
Xiaodi_Shi
Employee
Employee
3 weeks ago

Hello @lguevara 

tHTTPClient component have "a "Bypass server certificate validation" option in the advanced settings which is used to  prevent the client from validating the server certificate.

https://help.qlik.com/talend/en-US/components/8.0/http/thttpclient

For your use case, please get the certificates from target API server and use keytool import to target keystore file, if you don't want to use tSetKeyStore componnet specifically, then you can import certificates into JVM/lib/security/cacerts used by talend studio.

keytool -import -trustcacerts -alias xxxcert-1 -file /temp/a-cert-1.cer -keystore jvm/lib/security/cacerts -storepass changeit
keytool -import -trustcacerts -alias xxxcert-2 -file /temp/a-cert-2.cer -keystore jvm/lib/security/cacerts -storepass changeit
keytool -import -trustcacerts -alias xxxcert-3 -file /temp/a-cert-3.cer -keystore jvm/lib/security/cacerts -storepass changeit


tHttpClient needs to uncheck "Bypass server certificate validation".

Best regards

Sabrina

207 Views
0 Likes
lguevara
Partner - Creator II
Partner - Creator II
3 weeks ago
Author

Hi @Xiaodi_Shi ,

Thanks this for the information, this works fine using talend studio

openssl pkcs12 -export -in application.cert -inkey application.key -out client_app_cert.p12 -name "client_app_certificate" -password pass:changeit

keytool -import -alias api_cliente_seguro -file C:\path\server.crt -keystore C:\path\truststore.jks -storepass changeit
-- And in JVM  arguments
-Djavax.net.ssl.keyStore="C:/path/client_app_cert.p12"
-Djavax.net.ssl.keyStoreType="PKCS12"
-Djavax.net.ssl.keyStorePassword="changeit"
-Djavax.net.ssl.trustStore="C:/path/truststore.jks"
-Djavax.net.ssl.trustStorePassword="changeit"
And check bypass server certificate validation

 

But when I publish this job to TMC and run this task over the remote engine that has path and the files  .p12 and .jks correct. I get and error 403 forbidden.

Maybe you know why?

 

thanks,

190 Views
0 Likes
Xiaodi_Shi
Employee
Employee
3 weeks ago

In response to lguevara

Hello @lguevara 

I'm supposing the error message you got looks like below?

Caused by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://xxxxxxxx.com/xxxapi:443: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Please make sure you did import the certificates into JVM/lib/security/cacerts used by Remote Engine.

When you're talking about running the job on a Remote Engine, it will always be best practice to use the tSetKeystore, and map that to a keystore/truststore on the instance in question.

Keystores are local to whichever instance the job is running on; the Studio settings for the keystore are only for Metadata connections, and only stay on that specific studio instance.

You should set your own expectations that a keystore/truststore should be created on the instance where the RE resides, and should contain all other required certs for the jobs in question.

Best regards

Sabrina

 

 

181 Views
0 Likes
lguevara
Partner - Creator II
Partner - Creator II
3 weeks ago
Author

In response to Xiaodi_Shi

Hi @Xiaodi_Shi 

Using tSetKeystore works fine in TMC.

Thanks

175 Views
Xiaodi_Shi
Employee
Employee
2 weeks ago

In response to lguevara

Hello,
Thanks for your feedback and set it as Solution.

Best regards

Sabrina

127 Views
0 Likes