Getting Talend Open Studio internet connected in a corporate environment

Four Stars

Getting Talend Open Studio internet connected in a corporate environment

This is not a question. This is an answer  to a very specific case - if you are behind a domain integrated HTTP/HTTPS proxy that insists in intercepting the HTTPS traffic. And a small comment on security. This particular experience is from Talend 7.0.

 

It starts with:

Network is unavailable, please fix it.

Except... it is fully available as far as you know... You quickly find that you need a proxy configured. But it does not work. Talend stays stubbornly offline.

 

That is because the studio at startup tries to access talend.com over https and if it fails... well, you MUST be offline... Had to go read sourcecode on github for that bit of wisdom.

 

First clue can be  found in workspace\.metadata\.log

There will be a bunch of SSL certificate chain validation errors for maven if the proxy is configured right. That's because your employer insists reading your ssl traffic and thus has substituted the certificate with a chain of it's own. 

 

Security note - there will also be your proxy password in plain text. Not a good thing if it is also your domain password...

 

So what you can do about the SSL errors? If you do not have control over the jvm... not much. but if you do... you can import the naughty intercept CAs into java cacert store with keytool like so:

 

C:\Program Files\Java\jdk1.8.0_162>.\bin\keytool -keystore jre\lib\security\cacerts -importcert -alias aliasforca -file "c:\tmp\cacert.cer"
Enter keystore password:
Certificate was added to keystore

 

the password is changeit in all java installs.

 

you may wonder where I got the certs... well you can browse to site and see/export the cert chain used. And hey presto. It works. 

 

Enjoy this small bit of wisdom Smiley Happy

Moderator

Re: Getting Talend Open Studio internet connected in a corporate environment

Hello,

Thanks for sharing it on forum.

Best regards

Sabrina

--
Don't forget to give kudos when a reply is helpful and click Accept the solution when you think you're good with it.
One Star

Re: Getting Talend Open Studio internet connected in a corporate environment

@thade

It will be very helpful if you can also detail out the process to export the certificate too, I dont have any experience in that space and from your response its not clear from which site you exported the certificate.

 

Four Stars

Re: Getting Talend Open Studio internet connected in a corporate environment

you need to open talend.com in browser(ie works), click on cert info see and export the cer files.
Four Stars

Re: Getting Talend Open Studio internet connected in a corporate environment


@thade wrote:

This is not a question. This is an answer  to a very specific case - if you are behind a domain integrated HTTP/HTTPS proxy that insists in intercepting the HTTPS traffic. And a small comment on security. This particular experience is from Talend 7.0.

 

It starts with:

Network is unavailable, please fix it.

Except... it is fully available as far as you know... You quickly find that you need a proxy configured. But it does not work. Talend stays stubbornly offline.

 

That is because the studio at startup tries to access talend.com over https and if it fails... well, you MUST be offline... Had to go read sourcecode on github for that bit of wisdom.

 

First clue can be  found in workspace\.metadata\.log

There will be a bunch of SSL certificate chain validation errors for maven if the proxy is configured right. That's because your employer insists reading your ssl traffic and thus has substituted the certificate with a chain of it's own. 

 

Security note - there will also be your proxy password in plain text. Not a good thing if it is also your domain password...

 

So what you can do about the SSL errors? If you do not have control over the jvm... not much. but if you do... you can import the naughty intercept CAs into java cacert store with keytool like so:

 

C:\Program Files\Java\jdk1.8.0_162>.\bin\keytool -keystore jre\lib\security\cacerts -importcert -alias aliasforca -file "c:\tmp\cacert.cer"
Enter keystore password:
Certificate was added to keystore

 

the password is changeit in all java installs.

 

you may wonder where I got the certs... well you can browse to site and see/export the cert chain used. And hey presto. It works. 

 

Enjoy this small bit of wisdom Smiley Happy


Can you elaborate a bit more on this? The corporate cert should be imported into the store correct? The "-keystore" parameter doesn't appear to be valid so I removed it and was able to add the certificate but still get the error.