如何使用pentaho Data Integration / Rest Client使用信任存储?

时间:2016-01-28 10:46:06

标签: rest ssl truststore pdi

我正在使用Pentaho Data Integration(Kettle)。我的目标是使用HTTPS使用现有的REST API。为此,我使用pdi提供的REST客户端。

在我的本地环境中,我可以使用此API。但是,一旦我在生产服务器(redhat)上推送它并运行该作业,我就会收到与SSL证书相关的错误:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

要提供目标证书,我首先使用keytool [in / home / user /]将其添加到新的密钥库中:

keytool -importcert -keystore spoc.truststore -alias spoc-preprod  -file cert.crt -noprompt

为了让PDI使用这个信任库,我已经像这样配置了其余的客户端:

Rest client SSL truststore configuration

一旦推动生产中的相关转型并完成工作,我就会遇到不同的错误:

Keystore was tampered with, or password was incorrect

    at org.pentaho.di.trans.steps.rest.Rest.setConfig(Rest.java:274)
    at org.pentaho.di.trans.steps.rest.Rest.init(Rest.java:483)
    at org.pentaho.di.trans.step.StepInitThread.run(StepInitThread.java:65)
    at java.lang.Thread.run(Thread.java:662)
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771)
        at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)
        at java.security.KeyStore.load(KeyStore.java:1185)
        at org.pentaho.di.trans.steps.rest.Rest.setConfig(Rest.java:249)
        ... 3 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:769)
        ... 6 more

我确定我提供的密钥库的路径(如果输入虚拟路径,则找不到文件异常),而且我对密码更加确定。

经过两天的搜索,我在互联网上找不到任何类似的问题。这就是为什么我现在需要你的帮助:)。

NANS

3 个答案:

答案 0 :(得分:1)

我知道我可能迟到了,但几天前我遇到了同样的问题。我使用密钥库的默认密码解决了它,正如this answer解释的那样,changeit

答案 1 :(得分:0)

  1. 将用于 api 请求的 URL 复制并粘贴到浏览器(chrome、firefox)中
  1. 点击 URL 开始前的锁定图标
  2. 选择证书
  3. 转到详细信息标签
  4. 点击复制到文件,然后点击下一步
  5. 保持默认选择的类型(DER编码)
  6. 点击下一步,选择您要下载证书的位置并保存。
  7. 以管理员身份在您的计算机中打开命令提示符
  8. 执行下面的命令
<块引用>

"C:\Program Files\Java\jre7\bin\keytool" -import -alias 拼车 -keystore "C:\Program\Files\Java\jre7\lib\security\cacerts" -file c:\downloads\mycert.cert

确保将上面的命令作为单行执行

  1. 当它要求密码类型默认密码时的列表项:changeit
  1. 另一个提示输入:yes

完成上述更改后,重新启动 pentaho 工具。

答案 2 :(得分:0)

我将网站的证书添加到 jre/lib/security/cacerts 证书存储中。我能够验证是否添加了证书。

我的水壶(是的,我重新启动了水壶)转换失败并出现 SSLHandshake 错误。

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

我试过 SSLPoke

java SSLPoke mytestwebservice 443

我收到以下错误:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
        at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:229)
        at java.base/sun.security.validator.Validator.validate(Validator.java:264)
        at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:625)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:460)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:360)
        at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
        at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:177)
        at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
        at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
        at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
        at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:716)
        at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:970)
        at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:942)
        at SSLPoke.main(SSLPoke.java:31)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
        at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
        ... 20 more

然后我尝试使用 trustStore 参数,效果很好。

java -Djavax.net.ssl.trustStore="C:\Program Files (x86)\Java\jre1.8.0_251\lib\security\cacerts" SSLPoke mytestwebservice 443

C:\Users\user1\Downloads>java -Djavax.net.ssl.trustStore="C:\Program Files (x86)\Java\jre1.8.0_251\lib\security\cacerts" SSLPoke mytestwebservice 443
Successfully connected

这些所有显示证书都添加到 cacerts 中。仍然我的水壶(是的,我重新启动了水壶)转换失败并出现 SSLHandshake 错误。

现在,我将 -Djavax.net.ssl.trustStore="C:\Program Files (x86)\Java\jre1.8.0_251\lib\security\cacerts" 添加到我的spoon.bat 文件中第127行,下面是spoon.bat的代码块


set OPT=%OPT% %PENTAHO_DI_JAVA_OPTIONS% "-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2" "-Djava.library.path=%LIBSPATH%;%HADOOP_HOME%/bin" "-Djava.endorsed.dirs=%JAVA_ENDORSED_DIRS%" "-DKETTLE_HOME=%KETTLE_HOME%" "-DKETTLE_REPOSITORY=%KETTLE_REPOSITORY%" "-DKETTLE_USER=%KETTLE_USER%" "-DKETTLE_PASSWORD=%KETTLE_PASSWORD%" "-DKETTLE_PLUGIN_PACKAGES=%KETTLE_PLUGIN_PACKAGES%" "-DKETTLE_LOG_SIZE_LIMIT=%KETTLE_LOG_SIZE_LIMIT%" "-DKETTLE_JNDI_ROOT=%KETTLE_JNDI_ROOT%" "-Djavax.net.ssl.trustStore=C:\Program Files\Java\jre1.8.0_251\lib\security\cacerts"

现在当我重新启动勺子并运行转换时,它运行良好。似乎其余客户端节点没有使用证书信任存储 SSL 设置。

spoon.bat 文件设置在我的本地机器上工作正常,没有问题。我打算使用 Java API 运行我的 KTR。知道在使用以下 java 代码开始转换时如何设置信任库吗?

                KettleEnvironment.init();
                
                StepPluginType.getInstance().getPluginFolders().add(new PluginFolder("c:\\users\\nampatel\\.kettle\\plugins", false, true));
                TransMeta metaData = new TransMeta(path);
                Trans trans = new Trans(metaData);
                trans = parameterSetting(trans);
//              trans.setParameterValue("tkt_id", "1231321");
                trans.execute( null );

参考:使用 https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-error-779355358.html 进行上述 SSL 故障排除步骤。

相关问题
最新问题