Skip to main content
Solved

Attaching a client certificate in a Json Call step

  • August 30, 2024
  • 6 replies
  • 149 views

may_kwok
Star Blazer L3
Forum|alt.badge.img+4

I’m trying to build a GET API call to an external data provider.

This provider requires me to send my GET call with the certificate.

We managed to test it in POSTMAN, where I had to add the certificate in the Settings → Certificates menu:

 

I have a .pfx file with a passphrase, and I needed to specify the host.

This works on my laptop in POSTMAN.

 

Now I’m trying to do the same call in ONE Desktop using JSON Call step.

By way of googling, I’ve managed to convert my .pfx file into .cer, then I imported the .cer file into {DQC_HOME}/jre/lib/security/cacerts . Then I have restarted ONE Desktop. But when I call the API I’m still getting an error message from the other side saying my certificate is not sent.

 

I have a suspicion that the certificate is sitting in the keystore but it is not used. Is there some way to ensure it is used? Some java parameter somewhere?

Best answer by may_kwok

OK….. so I found my problem of somehow losing 1 character from the jvm arg which meant that the password wasn’t read.

So, I have now tried 3 ways, and 2 of them work:

In Run Configuration:

  1. I have a .pfx file. I convert it to a .p12 file by running:
     

    C:\Ataccama\14.5.1\jre\bin>keytool -importkeystore -srckeystore C:\cer\mbg-data.preprod.hamiltongroup.com.pfx -destkeystore C:\cer\keystore.p12 -srcstoretype pkcs12 -deststoretype pkcs12 -srcalias 1 -destalias mbg-data-preprod -srckeypass {redacted} -destkeypass {redacted} -srcstorepass {redacted} -deststorepass {redacted}

  2. I then put these jvm arguments into Run Configuration when running plan:
     

    -Djavax.net.ssl.keyStore=C:\cer\keystore.p12 -Djavax.net.ssl.keyStoreType=pkcs12 -Djavax.net.ssl.keyStorePassword={redacted}

When I run the plan, it works.

 

In one-desktop.ini:

I update one-desktop.ini with the same -D arguments.

Unfortunately, this one does not work. When running the plan it behaves like no args were passed.

 

In Admin Centre in example project:

  1. I installed the RDM example project into ONE Desktop

  2. Downloaded keycloak plugin

  3. Run Files/bin/start-keycloak.bat

  4. Update C:\Ataccama\14.5.1\runtime\bin\onlinectl.bat so that it reads:
     

    @echo off
    rem Start script for DQC - online server mode rem modify JAVA_OPTS to meet your needs (such as heap size settings, variables definitions, etc.)

    set JAVA_OPTS=-Djavax.net.ssl.keyStore=C:\cer\keystore.p12 -Djavax.net.ssl.keyStoreType=pkcs12 -Djavax.net.ssl.keyStorePassword={redacted} call "%~dp0\run_java.bat" com.ataccama.dqc.server.bin.OnlineCtl %*

  5. Run Files/bin/start-server.bat

  6. Run .ewf workflow

  7. Success!

 

So in a way I have kind of figured it out, but bit gutted that one-desktop.ini does not work.

View original
Did this topic help you find an answer to your question?

6 replies

Forum|alt.badge.img+2
  • Ataccamer
  • 150 replies
  • September 2, 2024

Hi @maykwok_hamilton,

What you describe for Postman is a mutual TLS (mTLS) configuration, when client has to authenticate itself with a certificate to a server. That’s not the same as importing custom CA certificate to keystore. 

Here is excerpt from JSON Call help how to enable mTLS:

Support for Mutual TLS (mTLS) Authentication

To enable using mutual TLS authentication, where client certificates are verified in addition to server certificates, the following Java arguments need to be provided:

  • javax.net.ssl.keyStore: Points to the keystore containing the client certificate and the corresponding private key. This can also be a .p12 file.
  • javax.net.ssl.keyStorePassword: The password for the keystore.

may_kwok
Star Blazer L3
Forum|alt.badge.img+4
  • Author
  • Star Blazer L3
  • 84 replies
  • September 2, 2024

Hi @AKislyakov ,

I’m so very nearly there!

What I found, is that I was using cacerts (a truststore), and want to use that as a keystore, which is the wrong thing to do.

So I had to use my .pfx file, to create a .p12 keystore.

When I define the jvm args to the Run Configuration → Runtimes, I get the success response:

 

If I define the jvm args to one-desktop.ini, I get the failure response.

How can I ensure the jvm args that I define in the Run Configuration, will be read by the runtime server when I push it to PaaS?

 

(cc @Scott Barden / @Sharon )


may_kwok
Star Blazer L3
Forum|alt.badge.img+4
  • Author
  • Star Blazer L3
  • 84 replies
  • September 3, 2024

I am super sad right now. I changed none of the configurations and yet when I try to run this today, I get :

 

com.ataccama.dqc.commons.util.reflect.WrappingRuntimeException: java.security.UnrecoverableKeyException: Get Key failed: Cannot read the array length because "password" is null
    at com.ataccama.dqc.io.http.CommonHttpClient.<init>(CommonHttpClient.java:139)
    at com.ataccama.dqc.tasks.io.json.call.JsonCall$Runtime.run(JsonCall.java:339)
    at com.ataccama.dqc.processor.internal.runner.ComplexStepNode.runNode(ComplexStepNode.java:64)
    at com.ataccama.dqc.processor.internal.runner.RunnableNode.run(RunnableNode.java:29)
    at com.ataccama.dqc.commons.threads.AsyncExecutor$RunningTask.run(AsyncExecutor.java:135)
    at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: java.security.UnrecoverableKeyException: Get Key failed: Cannot read the array length because "password" is null
    at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:450)
    at java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:91)
    at java.base/java.security.KeyStore.getKey(KeyStore.java:1050)
    at java.base/sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:141)
    at java.base/sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:64)
    at java.base/javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:275)
    at org.apache.http.ssl.SSLContextBuilder.loadKeyMaterial(SSLContextBuilder.java:301)
    at org.apache.http.ssl.SSLContextBuilder.loadKeyMaterial(SSLContextBuilder.java:320)
    at com.ataccama.dqc.io.http.CommonHttpClient.<init>(CommonHttpClient.java:130)
    ... 5 more
Caused by: java.lang.NullPointerException: Cannot read the array length because "password" is null
    at java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeyStore.java:259)
    at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:361)
    ... 13 more
 

 


may_kwok
Star Blazer L3
Forum|alt.badge.img+4
  • Author
  • Star Blazer L3
  • 84 replies
  • Answer
  • September 3, 2024

OK….. so I found my problem of somehow losing 1 character from the jvm arg which meant that the password wasn’t read.

So, I have now tried 3 ways, and 2 of them work:

In Run Configuration:

  1. I have a .pfx file. I convert it to a .p12 file by running:
     

    C:\Ataccama\14.5.1\jre\bin>keytool -importkeystore -srckeystore C:\cer\mbg-data.preprod.hamiltongroup.com.pfx -destkeystore C:\cer\keystore.p12 -srcstoretype pkcs12 -deststoretype pkcs12 -srcalias 1 -destalias mbg-data-preprod -srckeypass {redacted} -destkeypass {redacted} -srcstorepass {redacted} -deststorepass {redacted}

  2. I then put these jvm arguments into Run Configuration when running plan:
     

    -Djavax.net.ssl.keyStore=C:\cer\keystore.p12 -Djavax.net.ssl.keyStoreType=pkcs12 -Djavax.net.ssl.keyStorePassword={redacted}

When I run the plan, it works.

 

In one-desktop.ini:

I update one-desktop.ini with the same -D arguments.

Unfortunately, this one does not work. When running the plan it behaves like no args were passed.

 

In Admin Centre in example project:

  1. I installed the RDM example project into ONE Desktop

  2. Downloaded keycloak plugin

  3. Run Files/bin/start-keycloak.bat

  4. Update C:\Ataccama\14.5.1\runtime\bin\onlinectl.bat so that it reads:
     

    @echo off
    rem Start script for DQC - online server mode rem modify JAVA_OPTS to meet your needs (such as heap size settings, variables definitions, etc.)

    set JAVA_OPTS=-Djavax.net.ssl.keyStore=C:\cer\keystore.p12 -Djavax.net.ssl.keyStoreType=pkcs12 -Djavax.net.ssl.keyStorePassword={redacted} call "%~dp0\run_java.bat" com.ataccama.dqc.server.bin.OnlineCtl %*

  5. Run Files/bin/start-server.bat

  6. Run .ewf workflow

  7. Success!

 

So in a way I have kind of figured it out, but bit gutted that one-desktop.ini does not work.


Forum|alt.badge.img+2
  • Ataccamer
  • 150 replies
  • September 4, 2024

One Desktop part is expected. When you run a plan from the desktop, a new process is created, and it doesn’t inherit Desktop parameters. However, with the modified one-desktop.ini file, you should be able to successfully execute the step in debug mode.

As for how to replicate this in PaaS, I’d suggest discussing this via ticket with Support team.


may_kwok
Star Blazer L3
Forum|alt.badge.img+4
  • Author
  • Star Blazer L3
  • 84 replies
  • September 4, 2024

Aha! That has worked! Thanks!

 


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings