SSL exception thrown on server, but not localy in studio

Six Stars

SSL exception thrown on server, but not localy in studio

Hello,

 

I'm facing weird issue where my Job works fine when launched localy from Talend ESB studio on the server machine, but after deployment it throws:

org.apache.cxf.interceptor.Fault: Could not send Message.

Caused by: javax.net.ssl.SSLException: SSLException invoking https://test.salesforce.com/services/Soap/u/42.0: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

Caused by: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

Scenario was working fine yesterday (deployed). It's failing on tESBConsumer. Throwing the same result on previous version of that job as well (this version was working without any problems for at least two weeks now). Server machine runs windows server 2016 with Java in version 1.8.0_171.

 

Thanks in advance for any tips which will help me to at least track the root of my problem.

 


Accepted Solutions
Six Stars

Re: SSL exception thrown on server, but not localy in studio

Sure,

Simmilar problems should be resolved with manual creation of configuration files and cert stores for your partner's endpoints. You can put cert store anywhere, configuration file has to be a copy of runtime/etc/org.apache.cxf.http.conduits-common.cfg

Just copy the file, replace "common" with your own suffix and edit "url", "tlsClientParameters.trustManagers.keyStore.file", "tlsClientParameters.keyManagers.keyStore.file" and passwords if necessary.

Regards,

Michał

View solution in original post


All Replies
Moderator

Re: SSL exception thrown on server, but not localy in studio

Hello,

On which talend ESB build version you got this issue? Are you invoking a https service in runtime? Did you use tSetKeystore component in your job and add SSL (trustore,keystore) configuration in the runtime configuration file?

Best regards

Sabrina

--
Don't forget to give kudos when a reply is helpful and click Accept the solution when you think you're good with it.
Six Stars

Re: SSL exception thrown on server, but not localy in studio

Hi,

 

It's the most recent version, we are keeping it up to date with all patches, for the studio - also 7.0.1. We don't need pcks in this webservice call, it's just the fact that this is a call to https endpoint signed by some certificate. It was working previously and stopped doing that without any actions made to it. It's also working when built from studio using the same jvm. Sorry but I don't fully understand "Are you invoking a https service in runtime?". Do you have any clues where I have the biggest chance to find the root of this problem? Is it something in Talend (for example studio is using different method to check list of known CAs than runtime), JVM or maybe the webservice we're calling is trying to play a game with us?

 

Thanks,

Michał

Moderator

Re: SSL exception thrown on server, but not localy in studio

Hello,

We met this issue on v 6.1.1 "Exception in component tESBConsumer: org.apache.cxf.interceptor.Fault: Could not send Message

"  before when running a job with tESBConsumer is used to connect to a remote service. This is because the version of TLS used by Talend 6.1.1 is not compatible with the version that the service host can handle.

Are you using talend open studio for ESB product or subscription solution?

If you are using talend open studio, we will appreciate if you could post your webservice job setting screenshots on forum which will be helpful for us to address the root of this problem.

If you are using talend subscription solution, it is recommended that you create a case on talend support portal so that we can give you a remote assistance(webex session) through support cycle with priority.

Best regards

Sabrina

 

--
Don't forget to give kudos when a reply is helpful and click Accept the solution when you think you're good with it.
Six Stars

Re: SSL exception thrown on server, but not localy in studio

Hi,

 

So I've tried to reach out talend support portal, but I'm getting the following message after logon:

"We can't log you in. Check for an invalid assertion in the SAML Assertion Validator (available in Single Sign-On Settings) or check the login history for failed logins."

Is this a common mistake/issue? Or do I have to create another thread in different category?

 

Btw. the main issue seems to be with the JVM used by Talend, when using tESBProvider to https endpoint, it's trying to find valid certificate in JVM's truststore but fails on that, so I have to find which JVM which truststore it's using and then check if it's not found / no cert found in it / or not enough permissions to read it.

 

Thanks and best regards,

Michał

Highlighted
Moderator

Re: SSL exception thrown on server, but not localy in studio

Hello,

It's not a common issue.

For your support portal login issue, could you please send an email to Customer Care <CustomerCare@talend.com>? Our colleagues from support team will help you as soon as possible.

Do you mean this SSL certifcate is not recognized by the JVM?

Have you tried to upgrade your java(JDK 1.8) to see if it works?

Best regards

Sabrina

--
Don't forget to give kudos when a reply is helpful and click Accept the solution when you think you're good with it.
Moderator

Re: SSL exception thrown on server, but not localy in studio

Hello,

Talend Runtime provides support for HTTP and HTTPS by default with the help of the pax web component. HTTP / HTTPS configuration for Talend Runtime is done in the org.ops4j.pax.web.cfg configuration file, located in TalendRuntimePath/container/etc/org.ops4j.pax.web.cfg.

 

To encrypt communication and secure the identification of a server, you can use the HTTPS protocol. HTTPS is based on SSL, which supports the encryption of messages sent via HTTP. To secure communication, HTTPS uses key pairs containing one public key and one private key. Data is encrypted with one key and can only be decrypted with the other key of the key pair. This establishes trust and privacy in message transfers.

 

For more information about the How-to steps, refer to SSL configuration.

Best regards

Sabrina

--
Don't forget to give kudos when a reply is helpful and click Accept the solution when you think you're good with it.
Six Stars

Re: SSL exception thrown on server, but not localy in studio

Hi,

 

I've tried to update JVM, use different ones but it does not help. I don't know if cert is not recognized / it's corrupted (for example certificatoin path is swapped or sth like that) / doesn't exists at all at location JVM is trying to reach it / something doesn't have rights to write or read from it. I'll give a feedback here when the issue will be resolved.

 

Thanks,

Michał

Moderator

Re: SSL exception thrown on server, but not localy in studio

Hello,

A remote assistance (webex session) will be helpful for us to address your issue.

Could you please send an email to Customer Care <CustomerCare@talend.com> with your support portal login issue?

Best regards

Sabrina

--
Don't forget to give kudos when a reply is helpful and click Accept the solution when you think you're good with it.
Six Stars

Re: SSL exception thrown on server, but not localy in studio

Yes, I've sent the mail to the Customer Care, waiting for response Smiley Happy

Six Stars

Re: SSL exception thrown on server, but not localy in studio

Issue is now resolved with support portal help.
Moderator

Re: SSL exception thrown on server, but not localy in studio

Hello,

Would you mind sharing some solution with us on forum?

Best regards

Sabrina

--
Don't forget to give kudos when a reply is helpful and click Accept the solution when you think you're good with it.
Six Stars

Re: SSL exception thrown on server, but not localy in studio

Sure,

Simmilar problems should be resolved with manual creation of configuration files and cert stores for your partner's endpoints. You can put cert store anywhere, configuration file has to be a copy of runtime/etc/org.apache.cxf.http.conduits-common.cfg

Just copy the file, replace "common" with your own suffix and edit "url", "tlsClientParameters.trustManagers.keyStore.file", "tlsClientParameters.keyManagers.keyStore.file" and passwords if necessary.

Regards,

Michał

View solution in original post

2019 GARNER MAGIC QUADRANT FOR DATA INTEGRATION TOOL

Talend named a Leader.

Get your copy

OPEN STUDIO FOR DATA INTEGRATION

Kickstart your first data integration and ETL projects.

Download now

What’s New for Talend Summer ’19

Watch the recorded webinar!

Watch Now

An API-First Approach to Modernizing Applications

Learn how to use an API-First Approach to Modernize your Applications

Watch Now

Talend API Designer – Technical Overview

Take a look at this technical overview video of Talend API Designer

Watch Now

Getting Started with APIs

Find out how to get started with APIs

Read