I’m trying to build a GET API call to an external data provider.
This provider requires me to send my GET call with the certificate.
We managed to test it in POSTMAN, where I had to add the certificate in the Settings → Certificates menu:
I have a .pfx file with a passphrase, and I needed to specify the host.
This works on my laptop in POSTMAN.
Now I’m trying to do the same call in ONE Desktop using JSON Call step.
By way of googling, I’ve managed to convert my .pfx file into .cer, then I imported the .cer file into {DQC_HOME}/jre/lib/security/cacerts . Then I have restarted ONE Desktop. But when I call the API I’m still getting an error message from the other side saying my certificate is not sent.
I have a suspicion that the certificate is sitting in the keystore but it is not used. Is there some way to ensure it is used? Some java parameter somewhere?
Best answer by may_kwok
OK….. so I found my problem of somehow losing 1 character from the jvm arg which meant that the password wasn’t read.
So, I have now tried 3 ways, and 2 of them work:
In Run Configuration:
I have a .pfx file. I convert it to a .p12 file by running:
I update one-desktop.ini with the same -D arguments.
Unfortunately, this one does not work. When running the plan it behaves like no args were passed.
In Admin Centre in example project:
I installed the RDM example project into ONE Desktop
Downloaded keycloak plugin
Run Files/bin/start-keycloak.bat
Update C:\Ataccama\14.5.1\runtime\bin\onlinectl.bat so that it reads:
@echo off rem Start script for DQC - online server mode rem modify JAVA_OPTS to meet your needs (such as heap size settings, variables definitions, etc.)
set JAVA_OPTS=-Djavax.net.ssl.keyStore=C:\cer\keystore.p12 -Djavax.net.ssl.keyStoreType=pkcs12 -Djavax.net.ssl.keyStorePassword={redacted} call "%~dp0\run_java.bat" com.ataccama.dqc.server.bin.OnlineCtl %*
Run Files/bin/start-server.bat
Run .ewf workflow
Success!
So in a way I have kind of figured it out, but bit gutted that one-desktop.ini does not work.
What you describe for Postman is a mutual TLS (mTLS) configuration, when client has to authenticate itself with a certificate to a server. That’s not the same as importing custom CA certificate to keystore.
Here is excerpt from JSON Call help how to enable mTLS:
Support for Mutual TLS (mTLS) Authentication
To enable using mutual TLS authentication, where client certificates are verified in addition to server certificates, the following Java arguments need to be provided:
javax.net.ssl.keyStore: Points to the keystore containing the client certificate and the corresponding private key. This can also be a .p12 file.
javax.net.ssl.keyStorePassword: The password for the keystore.
I am super sad right now. I changed none of the configurations and yet when I try to run this today, I get :
com.ataccama.dqc.commons.util.reflect.WrappingRuntimeException: java.security.UnrecoverableKeyException: Get Key failed: Cannot read the array length because "password" is null at com.ataccama.dqc.io.http.CommonHttpClient.<init>(CommonHttpClient.java:139) at com.ataccama.dqc.tasks.io.json.call.JsonCall$Runtime.run(JsonCall.java:339) at com.ataccama.dqc.processor.internal.runner.ComplexStepNode.runNode(ComplexStepNode.java:64) at com.ataccama.dqc.processor.internal.runner.RunnableNode.run(RunnableNode.java:29) at com.ataccama.dqc.commons.threads.AsyncExecutor$RunningTask.run(AsyncExecutor.java:135) at java.base/java.lang.Thread.run(Thread.java:833) Caused by: java.security.UnrecoverableKeyException: Get Key failed: Cannot read the array length because "password" is null at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:450) at java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:91) at java.base/java.security.KeyStore.getKey(KeyStore.java:1050) at java.base/sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:141) at java.base/sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:64) at java.base/javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:275) at org.apache.http.ssl.SSLContextBuilder.loadKeyMaterial(SSLContextBuilder.java:301) at org.apache.http.ssl.SSLContextBuilder.loadKeyMaterial(SSLContextBuilder.java:320) at com.ataccama.dqc.io.http.CommonHttpClient.<init>(CommonHttpClient.java:130) ... 5 more Caused by: java.lang.NullPointerException: Cannot read the array length because "password" is null at java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeyStore.java:259) at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:361) ... 13 more
I update one-desktop.ini with the same -D arguments.
Unfortunately, this one does not work. When running the plan it behaves like no args were passed.
In Admin Centre in example project:
I installed the RDM example project into ONE Desktop
Downloaded keycloak plugin
Run Files/bin/start-keycloak.bat
Update C:\Ataccama\14.5.1\runtime\bin\onlinectl.bat so that it reads:
@echo off rem Start script for DQC - online server mode rem modify JAVA_OPTS to meet your needs (such as heap size settings, variables definitions, etc.)
set JAVA_OPTS=-Djavax.net.ssl.keyStore=C:\cer\keystore.p12 -Djavax.net.ssl.keyStoreType=pkcs12 -Djavax.net.ssl.keyStorePassword={redacted} call "%~dp0\run_java.bat" com.ataccama.dqc.server.bin.OnlineCtl %*
Run Files/bin/start-server.bat
Run .ewf workflow
Success!
So in a way I have kind of figured it out, but bit gutted that one-desktop.ini does not work.
One Desktop part is expected. When you run a plan from the desktop, a new process is created, and it doesn’t inherit Desktop parameters. However, with the modified one-desktop.ini file, you should be able to successfully execute the step in debug mode.
As for how to replicate this in PaaS, I’d suggest discussing this via ticket with Support team.
We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.