How do I use a proxy certificate in One Desktop?

Hi @Marcel-Jan, thank you for taking the time to share your question in detail. I’ve checked with our team and you can workaround it by passing a parameter in the VM arguments. To give a bit more background, when we run a .plan in ONE Desktop the plan is executed within a Java Virtual Machine (VM).

The parameter property  ignoreCertificateErrors  determines whether certification related error messages are ignored or not. When retrieving web pages via https, ONE Desktop's running Java VM, will check that the SSL Certificate is valid and trusted. If not you may see a similar SSL certificate error.

These error messages can be ignored by setting this property to true

Follow the steps below to change the property:

1. In ONE Desktop, have your .plan open and run the plan.
2. Then in the dropdown, please select Run Configuration.
3. A dialogue box should appear, choose the Runtimes tab from here.
4. Paste -DhttpClient.ignoreCertificateErrors=true into the VM Arguments box.
    

   

5. Click Apply, and then run your plan again.
   
   Please let me know how it goes or if you have any questions 🙋‍♀️

So I found the Run configuration here (just sharing for others playing along):

It’s good that there is extra debugging possible here as well. 

But even with the -DhttpClient.ignoreCertificateErrors=true option I get Connection reset errors.

2024-01-23 10:50:17 [INFO]    org.apache.http.impl.client.DefaultHttpClient I/O exception (java.net.SocketException) caught when connecting to {s}->https://mydev.service-now.com:443: Connection reset

2024-01-23 10:50:17 [INFO]    org.apache.http.impl.client.DefaultHttpClient Retrying connect to {s}->https://mydev.service-now.com:443

23.01.2024 10:50:17 [DEBUG]   [JsonCall] IOException when making request POST https://mydev.service-now.com/api/now/import/u_str_call HTTP/1.1

java.net.SocketException: Connection reset

    at java.base/sun.nio.ch.NioSocketImpl.implRead(NioSocketImpl.java:323)

    at java.base/sun.nio.ch.NioSocketImpl.read(NioSocketImpl.java:350)

    at java.base/sun.nio.ch.NioSocketImpl$1.read(NioSocketImpl.java:803)

    at java.base/java.net.Socket$SocketInputStream.read(Socket.java:966)

    at java.base/sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:484)

    at java.base/sun.security.ssl.SSLSocketInputRecord.readHeader(SSLSocketInputRecord.java:478)

    at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:160)

    at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:111)

    at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1510)

    at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1425)

    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)

    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)

    at org.apache.http.conn.ssl.SSLSocketFactory.createLayeredSocket(SSLSocketFactory.java:570)

    at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:554)

    at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:415)

    at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)

    at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:326)

    at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:605)

    at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:440)

    at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:835)

    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)

    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)

    at com.ataccama.dqc.io.http.CommonHttpClient.makeRequest(CommonHttpClient.java:365)

    at com.ataccama.dqc.io.http.CommonHttpClient.access$100(CommonHttpClient.java:70)

    at com.ataccama.dqc.io.http.CommonHttpClient$RequestTask.run(CommonHttpClient.java:516)

    at java.base/java.lang.Thread.run(Thread.java:833)

23.01.2024 10:50:17 [INFO]     Stopping runtime...

Our firewall people say they opened the connection to ServiceNow for me, so I should be able to connect to that without proxy. And still.. Connection reset. Very confusing.

Today I dived deeper into the Connection reset error. This article about it is quite good: Troubleshooting java.net.SocketException: Connection reset - Mastertheboss

I decided to try this out on the One App server by creating a workflow that runs this component. On the server I also got the Connection reset error. But running this on the server allowed me to do a tcpdump of this. And thanks to that info I found out that the connection actually reaches the ServiceNow server.

That means that this is not a proxy issue and this question is basically kind of answered.

Hi @Marcel-Jan thank you for sharing an update here. I’m checking with the team about what might be the issue 👍

Hi @Marcel-Jan ,

Please try the following steps to investigate the issue further:

1. On the Postman, please enable SSL Authentication: go to setting > General > SSL certificate verification:

Run the API again and observe the result.

2. In ONE Desktop, try to run the plan with this parameter: -Dcom.sun.net.ssl.checkRevocation=false 

If the result is error in step 1 and we can run the plan successfully in step 2 then the issue lies in installing certificates. We need to import the Root and sub CA certificates of ServiceNow to {ONE Home}\jre\lib\security\cacerts using the keytool tool

To import all certificates from an existing keystore, run the following command in java:

keytool -importkeystore -srckeystore <source_keystore> -destkeystore <target_keystore>

For example:

keytool -importkeystore -srckeystore gateway.jks -destkeystore dest.jsk

Alternatively, import a specific certificate from a keystore:
List the certificates that are in the java keystore (JKS) file with this command:

keytool -list -v -keystore <source_keystore>

For example:

keytool -list -v -keystore gateway.jks

Export the selected certificate from a source keystore to a certificate file with this command:

keytool -exportcert -alias <certificate_alias> -file <certificate> -keystore <source_keystore>

For example:

keytool -exportcert -alias certificate-alias -file C:/myCertificate -keystore gateway.jks

Import the certificate to an existing Java keystore with this command:

keytool -importcert -alias <certificate_alias> -file <certificate> -keystore <target_keystore>

When asked if you Trust this certificate? Please answer: yes.

For example:

keytool -importcert -alias certificate-alias -file C:/myCertificate -keystore <JAVA_HOME>/lib/security/cacerts

Then run the plan again.

Please let me know the result at your side.

Hi Abby,

Thanks for your thorough response. I really appreciate it.

I enabled SSL certificate verification in Postman. But the request still succeeds.

And I added -Dcom.sun.net.ssl.checkRevocation=false  to the Run configuration on my component. And that still fails in Connection resets.

After all kinds of tcpdumps and other network sniffing it seems pretty clear the connection does reach ServiceNow, but something resets the connection on the way back. Likely that's the proxy.

For this I have a .crt file that I can try to use. I tried to add it, but it asks me to enter a password. I don't know that one.

keytool.exe -importcert -alias PostmanSnow -file "servicenow.crt" -keystore cacerts

Hi @Marcel-Jan ,

Kindly submit a support ticket at support.ataccama.com for additional assistance. This will enable our support team to provide you with further support.

Best regards,

Abbey