Getting Talend Open Studio internet connected in a corporate environment

Five Stars

Getting Talend Open Studio internet connected in a corporate environment

This is not a question. This is an answer  to a very specific case - if you are behind a domain integrated HTTP/HTTPS proxy that insists in intercepting the HTTPS traffic. And a small comment on security. This particular experience is from Talend 7.0.

 

It starts with:

Network is unavailable, please fix it.

Except... it is fully available as far as you know... You quickly find that you need a proxy configured. But it does not work. Talend stays stubbornly offline.

 

That is because the studio at startup tries to access talend.com over https and if it fails... well, you MUST be offline... Had to go read sourcecode on github for that bit of wisdom.

 

First clue can be  found in workspace\.metadata\.log

There will be a bunch of SSL certificate chain validation errors for maven if the proxy is configured right. That's because your employer insists reading your ssl traffic and thus has substituted the certificate with a chain of it's own. 

 

Security note - there will also be your proxy password in plain text. Not a good thing if it is also your domain password...

 

So what you can do about the SSL errors? If you do not have control over the jvm... not much. but if you do... you can import the naughty intercept CAs into java cacert store with keytool like so:

 

C:\Program Files\Java\jdk1.8.0_162>.\bin\keytool -keystore jre\lib\security\cacerts -importcert -alias aliasforca -file "c:\tmp\cacert.cer"
Enter keystore password:
Certificate was added to keystore

 

the password is changeit in all java installs.

 

you may wonder where I got the certs... well you can browse to site and see/export the cert chain used. And hey presto. It works. 

 

Enjoy this small bit of wisdom Smiley Happy

Tags (2)
Highlighted
Moderator

Re: Getting Talend Open Studio internet connected in a corporate environment

Hello,

Thanks for sharing it on forum.

Best regards

Sabrina

--
Don't forget to give kudos when a reply is helpful and click Accept the solution when you think you're good with it.
One Star

Re: Getting Talend Open Studio internet connected in a corporate environment

@thade

It will be very helpful if you can also detail out the process to export the certificate too, I dont have any experience in that space and from your response its not clear from which site you exported the certificate.

 

Five Stars

Re: Getting Talend Open Studio internet connected in a corporate environment

you need to open talend.com in browser(ie works), click on cert info see and export the cer files.
Four Stars

Re: Getting Talend Open Studio internet connected in a corporate environment


@thade wrote:

This is not a question. This is an answer  to a very specific case - if you are behind a domain integrated HTTP/HTTPS proxy that insists in intercepting the HTTPS traffic. And a small comment on security. This particular experience is from Talend 7.0.

 

It starts with:

Network is unavailable, please fix it.

Except... it is fully available as far as you know... You quickly find that you need a proxy configured. But it does not work. Talend stays stubbornly offline.

 

That is because the studio at startup tries to access talend.com over https and if it fails... well, you MUST be offline... Had to go read sourcecode on github for that bit of wisdom.

 

First clue can be  found in workspace\.metadata\.log

There will be a bunch of SSL certificate chain validation errors for maven if the proxy is configured right. That's because your employer insists reading your ssl traffic and thus has substituted the certificate with a chain of it's own. 

 

Security note - there will also be your proxy password in plain text. Not a good thing if it is also your domain password...

 

So what you can do about the SSL errors? If you do not have control over the jvm... not much. but if you do... you can import the naughty intercept CAs into java cacert store with keytool like so:

 

C:\Program Files\Java\jdk1.8.0_162>.\bin\keytool -keystore jre\lib\security\cacerts -importcert -alias aliasforca -file "c:\tmp\cacert.cer"
Enter keystore password:
Certificate was added to keystore

 

the password is changeit in all java installs.

 

you may wonder where I got the certs... well you can browse to site and see/export the cert chain used. And hey presto. It works. 

 

Enjoy this small bit of wisdom Smiley Happy


Can you elaborate a bit more on this? The corporate cert should be imported into the store correct? The "-keystore" parameter doesn't appear to be valid so I removed it and was able to add the certificate but still get the error.

Two Stars

Re: Getting Talend Open Studio internet connected in a corporate environment

I am having a similar issue. Not sure if its exactly the same. Is there anyway you guys can provide a more detailed explanation on thi?. It seems like Talend should have the ability to connect behind a firewall. I don't really get why it would be that difficult to do. Generally when installing packages with python or R or anything else you just have to put in the proxy. I tried editing the proxy in the network connection preferences and it doesn't let me do anything in there and it doesn't even give you an error that tells you what the problem is its just has an X. Any help would be appreciated.

 

 

Five Stars

Re: Getting Talend Open Studio internet connected in a corporate environment

You need to set the proxy to "manual" from drop-down above to set anything there. 

Two Stars

Re: Getting Talend Open Studio internet connected in a corporate environment

Yeah I tried changing to manual. Still just gives the X so I don't really know what the problem is.

 

Error.jpg

 

 

 

 

Two Stars

Re: Getting Talend Open Studio internet connected in a corporate environment

Okay I figured it out actually. I was using the dark theme and the errors were not showing because of that. Talend Devs should fix that. So I was able to configure the proxy and connect pretty easily after being able to see the error message. All I had to do was put in the proxy that my company uses.

 

 

Moderator

Re: Getting Talend Open Studio internet connected in a corporate environment

Hello @iamauser,

What's OS are you using?About your dark theme issue, have you already created a workitem jira issue on talend bug tracker?

Best regards

Sabrina

--
Don't forget to give kudos when a reply is helpful and click Accept the solution when you think you're good with it.
Five Stars

Re: Getting Talend Open Studio internet connected in a corporate environment

A note - this is no longer working fully on 7.2. You can get past the Talend not seeing "network", but the library loader/updater is using some sort of a backend library that a) does not care about Talend or even java environemnt set proxy conf, and if you use global java conf will fail to authenticate to your NTLM corporate proxy. As is - I ended up going back to 7.0 as I failed to get 7.2 to play nice with the corp proxy...

Five Stars

Re: Getting Talend Open Studio internet connected in a corporate environment

!ENTRY org.talend.platform.logging 2 0 2019-07-24 11:26:46.423
!MESSAGE 2019-07-24 11:26:46,414 WARN shaded.org.apache.http.impl.auth.HttpAuthenticator - NEGOTIATE authentication error: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt))

That's what it puts in logs.

15TH OCTOBER, COUNTY HALL, LONDON

Join us at the Community Lounge.

Register Now

2019 GARNER MAGIC QUADRANT FOR DATA INTEGRATION TOOL

Talend named a Leader.

Get your copy

OPEN STUDIO FOR DATA INTEGRATION

Kickstart your first data integration and ETL projects.

Download now

What’s New for Talend Summer ’19

Watch the recorded webinar!

Watch Now

Best Practices for Using Context Variables with Talend – Part 3

Read about some useful Context Variable ideas

Blog

Talend Studio Improvements for API Services

Take a look at the Talend Studio improvements for API Services

Watch Now

Data Integration Success Stories

Take a look at some Data Integration success stories

Read