One Star

SSL Configuration Talend RunTime

Hi All,
I have been trying to move a few web services on Talend RunTime from http to https. I'm able to expose the services on 9001 port using the default keystore provided by talend, but when I try use a new keystore, which has a self-signed certificate from salesforce, the services aren't exposed and I get a "java.io.IOException: Keystore was tampered with, or password was incorrect" in the logs. Below is the sequence of steps I tried, kindly help me in figuring the right way to do this, I am a newbie to https.
1) Downloaded the self-signed certificate file from salesforce (Cert1.cer)
2) Generated a key store through the console with the above certificate using the following command,
keytool -importcert -alias sfcert -file Cert1.cer -storetype jks -keystore sfkeystore.jks -storepass sfpass -keypass sfpass
3) copied the generated "sfkeystore.jks" file to /etc/keystores directory of talend
4) Modified the "org.ops4j.pax.web.cfg" file to the below contents,
org.osgi.service.http.port=8040
org.osgi.service.http.port.secure=9001
org.osgi.service.http.secure.enabled=true
org.ops4j.pax.web.ssl.keystore=./etc/keystores/sfkeystore.jks
org.ops4j.pax.web.ssl.password=sfpass
org.ops4j.pax.web.ssl.keypassword=sfpass
with the above config, the services aren't running at all because of the password incorrect error. Is there any other additional steps i should be doing to make this work?

warm regards,
Praveen

3 REPLIES
Employee

Re: SSL Configuration Talend RunTime

I'm unsure whether the key you're downloading is meant as the *client's* key (i.e., you're making SOAP calls against salesforce and it is optionally requiring client key authentication, not always needed with SSL), or is the server's public cert (i.e., you're making SOAP calls against salesforce). Since you're downloading the key, I'm assuming the latter (i.e., you're downloading the salesforce's public key with the intention of making SOAP calls against it--am I correct?), you normally don't download self-signed certificates but instead create them yourself (see Step #1 here: http://www.jroller.com/gmazza/entry/ssl_for_web_services). If this is the case:
1.) In your keytoool -import of the server's key, you should be using the -trustcacerts flag, see item #8 here: http://www.jroller.com/gmazza/entry/ssl_for_web_services
You also won't have a -keypass setting, as you won't know the private key password, you're just importing the server's public cert and it doesn't have an internal password. (-keypass is needed though for client key generation).
2.) Once done, use the keytool -list command to confirm you have the keystore password (*not* key password) correct, as shown in Step #3 here: http://www.jroller.com/gmazza/entry/metro_sts_tutorial#MetroSTS3.
Again, though I don't know what the purpose is of the cert you're downloading--I can't see salesforce providing self-signed certs, rather public certs for making SOAP calls against it. (i.e., you may not even need the cert salesforce is providing you if you're not making SOAP calls against it.)
One Star

Re: SSL Configuration Talend RunTime

Hi gmazza,
Seems like I have messed up in what I am trying to do. Basically I have a web service running in an external server, and I'm making a SOAP calls against it from SalesForce. Currently the service is running on http and I need to configure it to https. I configured Talend RunTime to expose it services on https on port 443 and used the default keystore of talend.
When I tried to make the SOAP call from salesforce, SalesForce threw an Exception "sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target".
I assumed that I needed a valid certificate for https on the external server that salesforce approves, and thought I could use the Salesforce Self signed certificate(Is this completely a wrong approach?). Can you tell me what should be done to make this work?
Employee

Re: SSL Configuration Talend RunTime

Invariably that error message means that the service's public cert is not in the SOAP client's truststore. Now what is the service and what is the SOAP client depends on your particular circumstance, but you're making a SOAP call, it's going to the truststore to find the web service provider's public cert (being imported as a trustcacerts entry), and not finding it.
Glen