Hi @maykwok_hamilton,

What you describe for Postman is a mutual TLS (mTLS) configuration, when client has to authenticate itself with a certificate to a server. That’s not the same as importing custom CA certificate to keystore. 

Here is excerpt from JSON Call help how to enable mTLS:

Support for Mutual TLS (mTLS) Authentication

To enable using mutual TLS authentication, where client certificates are verified in addition to server certificates, the following Java arguments need to be provided:

• javax.net.ssl.keyStore: Points to the keystore containing the client certificate and the corresponding private key. This can also be a .p12 file.
• javax.net.ssl.keyStorePassword: The password for the keystore.

Hi @AKislyakov ,

I’m so very nearly there!

What I found, is that I was using cacerts (a truststore), and want to use that as a keystore, which is the wrong thing to do.

So I had to use my .pfx file, to create a .p12 keystore.

When I define the jvm args to the Run Configuration → Runtimes, I get the success response:

If I define the jvm args to one-desktop.ini, I get the failure response.

How can I ensure the jvm args that I define in the Run Configuration, will be read by the runtime server when I push it to PaaS?

(cc @Scott Barden / @Sharon )

I am super sad right now. I changed none of the configurations and yet when I try to run this today, I get :

com.ataccama.dqc.commons.util.reflect.WrappingRuntimeException: java.security.UnrecoverableKeyException: Get Key failed: Cannot read the array length because "password" is null
    at com.ataccama.dqc.io.http.CommonHttpClient.<init>(CommonHttpClient.java:139)
    at com.ataccama.dqc.tasks.io.json.call.JsonCall$Runtime.run(JsonCall.java:339)
    at com.ataccama.dqc.processor.internal.runner.ComplexStepNode.runNode(ComplexStepNode.java:64)
    at com.ataccama.dqc.processor.internal.runner.RunnableNode.run(RunnableNode.java:29)
    at com.ataccama.dqc.commons.threads.AsyncExecutor$RunningTask.run(AsyncExecutor.java:135)
    at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: java.security.UnrecoverableKeyException: Get Key failed: Cannot read the array length because "password" is null
    at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:450)
    at java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:91)
    at java.base/java.security.KeyStore.getKey(KeyStore.java:1050)
    at java.base/sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:141)
    at java.base/sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:64)
    at java.base/javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:275)
    at org.apache.http.ssl.SSLContextBuilder.loadKeyMaterial(SSLContextBuilder.java:301)
    at org.apache.http.ssl.SSLContextBuilder.loadKeyMaterial(SSLContextBuilder.java:320)
    at com.ataccama.dqc.io.http.CommonHttpClient.<init>(CommonHttpClient.java:130)
    ... 5 more
Caused by: java.lang.NullPointerException: Cannot read the array length because "password" is null
    at java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeyStore.java:259)
    at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:361)
    ... 13 more
 

OK….. so I found my problem of somehow losing 1 character from the jvm arg which meant that the password wasn’t read.

So, I have now tried 3 ways, and 2 of them work:

In Run Configuration:

1. I have a .pfx file. I convert it to a .p12 file by running:
    

   C:\Ataccama\14.5.1\jre\bin>keytool -importkeystore -srckeystore C:\cer\mbg-data.preprod.hamiltongroup.com.pfx -destkeystore C:\cer\keystore.p12 -srcstoretype pkcs12 -deststoretype pkcs12 -srcalias 1 -destalias mbg-data-preprod -srckeypass {redacted} -destkeypass {redacted} -srcstorepass {redacted} -deststorepass {redacted}

2. I then put these jvm arguments into Run Configuration when running plan:
    

   -Djavax.net.ssl.keyStore=C:\cer\keystore.p12 -Djavax.net.ssl.keyStoreType=pkcs12 -Djavax.net.ssl.keyStorePassword={redacted}

When I run the plan, it works.

In one-desktop.ini:

I update one-desktop.ini with the same -D arguments.

Unfortunately, this one does not work. When running the plan it behaves like no args were passed.

In Admin Centre in example project:

1. I installed the RDM example project into ONE Desktop

2. Downloaded keycloak plugin

3. Run Files/bin/start-keycloak.bat

4. Update C:\Ataccama\14.5.1\runtime\bin\onlinectl.bat so that it reads:
    

   @echo off
rem Start script for DQC - online server mode rem modify JAVA_OPTS to meet your needs (such as heap size settings, variables definitions, etc.)

set JAVA_OPTS=-Djavax.net.ssl.keyStore=C:\cer\keystore.p12 -Djavax.net.ssl.keyStoreType=pkcs12 -Djavax.net.ssl.keyStorePassword={redacted} call "%~dp0\run_java.bat" com.ataccama.dqc.server.bin.OnlineCtl %*

5. Run Files/bin/start-server.bat

6. Run .ewf workflow

7. Success!

So in a way I have kind of figured it out, but bit gutted that one-desktop.ini does not work.

One Desktop part is expected. When you run a plan from the desktop, a new process is created, and it doesn’t inherit Desktop parameters. However, with the modified one-desktop.ini file, you should be able to successfully execute the step in debug mode.

As for how to replicate this in PaaS, I’d suggest discussing this via ticket with Support team.

Aha! That has worked! Thanks!