3

I'm using Pentaho Data Integration (Kettle). My goal is to consume an existing REST API with HTTPS. To achieve this, I use the REST Client provided by pdi.

On my local environment, I'm able to consume this API. However, once I push it on the production server (redhat) and run the job, I've got an error related to the SSL certificate :

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

To provide the target certificate, I've first added it in a new keystore using keytool [in /home/user/] :

keytool -importcert -keystore spoc.truststore -alias spoc-preprod  -file cert.crt -noprompt

To make PDI use this truststore, I've configured the rest client like so :

Rest client SSL truststore configuration

Once pushed the related transformation in production and run the job, I've got a different error :

Keystore was tampered with, or password was incorrect

    at org.pentaho.di.trans.steps.rest.Rest.setConfig(Rest.java:274)
    at org.pentaho.di.trans.steps.rest.Rest.init(Rest.java:483)
    at org.pentaho.di.trans.step.StepInitThread.run(StepInitThread.java:65)
    at java.lang.Thread.run(Thread.java:662)
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771)
        at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)
        at java.security.KeyStore.load(KeyStore.java:1185)
        at org.pentaho.di.trans.steps.rest.Rest.setConfig(Rest.java:249)
        ... 3 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:769)
        ... 6 more

I'm sure about the path of the keystore I've provided (File not found exception if I input a dummy path), and I'm even more sure about the password.

After two days of search, I don't find any similar problem on the internet. That's why I'm now needing your help :)

Nans

nan0
  • 31
  • 1
  • 1
  • 7

2 Answers2

1

I know that I'm probably late, but I had the same problem a few days ago. I solved it using the default password for the keystore, as this answer explains, which is changeit.

mauricius
  • 106
  • 3
1
  1. Copy and paste the URL which you are using for api request in your browser(chrome,firefox)
  1. Click on lock icon which is coming just before start of the URL
  2. select certificate
  3. go to details tab
  4. click on copy to file then click on next
  5. keep the default chosen type(DER encoded)
  6. click next, select where you want to download certificate and save it.
  7. open command prompt in your machine as administrator
  8. execute below command

"C:\Program Files\Java\jre7\bin\keytool" -import -alias carpooling -keystore "C:\Program\Files\Java\jre7\lib\security\cacerts" -file c:\downloads\mycert.cert

make sure you execute above command as single line

  1. List item when it ask for password type default password which is : changeit
  1. another prompt comes type : yes

after doing above changes, re-start the pentaho tool.

Helping Hand..
  • 2,430
  • 4
  • 32
  • 52
  • I added cert of the website into cacerts and I can verify it is added using Keystore UI tool. I still keep getting error REST Client.0 - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target – np4coding May 07 '21 at 15:00