Self signed certificates problem
40 views
Skip to first unread message
Anand Kane
Feb 24, 2021, 11:41:03 AM2/24/21
to Syndesis
Hi All
I am using API Client Connector to connect to an API that uses self signed certificate. Invocation of the endpoint fails due to the below exception.
IO exception javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I get this exception because the JVM's trustore inside the container, where the integration is running, does not have the certificate required for SSL handshake. I thought I should be able to run some command that adds the certificate to the truststore when the container is created. The certificate could be made available via a config map.
In order to be able to add the certificate to the truststore, I explored the Openshift s2i model and understood that we need two scripts to create docker image via s2i namely 'assemble' to build the source code and 'run' that is invoked when the container is created. While I could find 'assemble' script at the location integration/project-generator/src/main/resources/io/syndesis/integration/project/generator/s2i/assemble, I could not find the 'run' script anywhere. Logs of the buildconfig of the integration refer to such a run script...
STEP 10: CMD /usr/local/s2i/run
And this file is also present in the integration container. But I could not figure out where this file is picked up from because it is not present in the source code.
Can someone please help me understand the process of creating the integration image that is used to create the integration pod? This will be highly appreciated.
Thanks
Anand
Zoran Regvart
Feb 25, 2021, 4:51:29 AM2/25/21
to Anand Kane, Syndesis
Hi Anand,
the Syndesis S2I images are based on the fabric8 S2I images[1]. I
think we allowed for some modification of the integration's
DeploymentConfig after deployment, there was an issue around changing
the scaling and the Syndesis controller reverting the change. So I'm
not 100% sure what that feature allowed, but if you can change the
environment variables of the integration's DeploymentConfig you can
set `JAVA_OPTIONS` environment variable and try setting the system
properties as in[2] along with adding a Secret or ConfigMap volume
with your custom keystore.
That might work, Camel has dedicated configuration for TLS[3] which we
do not customize (IIRC there was an issue to add support for this). So
if that fails you should be able to create an extension and customize
that way...
zoran
[1] https://github.com/fabric8io-images/s2i
[2] https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#CustomizingStores
[3] https://camel.apache.org/manual/latest/camel-configuration-utilities.html#CamelConfigurationUtilities-SSLContextParameters
> --
> You received this message because you are subscribed to the Google Groups "Syndesis" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syndesis+u...@googlegroups.com.
> To view this discussion on the web, visit https://groups.google.com/d/msgid/syndesis/a397784d-0cae-44fa-9b7b-eb88b6340208n%40googlegroups.com.
--
Zoran Regvart
the Syndesis S2I images are based on the fabric8 S2I images[1]. I
think we allowed for some modification of the integration's
DeploymentConfig after deployment, there was an issue around changing
the scaling and the Syndesis controller reverting the change. So I'm
not 100% sure what that feature allowed, but if you can change the
environment variables of the integration's DeploymentConfig you can
set `JAVA_OPTIONS` environment variable and try setting the system
properties as in[2] along with adding a Secret or ConfigMap volume
with your custom keystore.
That might work, Camel has dedicated configuration for TLS[3] which we
do not customize (IIRC there was an issue to add support for this). So
if that fails you should be able to create an extension and customize
that way...
zoran
[1] https://github.com/fabric8io-images/s2i
[2] https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#CustomizingStores
[3] https://camel.apache.org/manual/latest/camel-configuration-utilities.html#CamelConfigurationUtilities-SSLContextParameters
> You received this message because you are subscribed to the Google Groups "Syndesis" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syndesis+u...@googlegroups.com.
> To view this discussion on the web, visit https://groups.google.com/d/msgid/syndesis/a397784d-0cae-44fa-9b7b-eb88b6340208n%40googlegroups.com.
--
Zoran Regvart
Anand Kane
Feb 25, 2021, 12:02:52 PM2/25/21
to Syndesis
Hi Zoran
Thanks a lot for helping me out. I am able to modify the DeploymentConfig to add new env entries and also upload the truststore with added certificates via config map. Since I don't the API endpoint with self signed certificates accessible right now, I will test later whether setting 'javax.net.ssl.keyStore' gives the desired result. I will keep you posted.
Thanks again.
Regards
Anand
Reply all
Reply to author
Forward
0 new messages