4

My network is behind ZScaler Proxy. I have installed AWS CLI. I have added all the Amazon Root CA Certificates along with ZScaler CA Root Certificate in a pem file. I have setup AWS_CA_Bundle and my aws cli command for fetching secretsmanager worked.

But when on the same machine, I am trying to fetch SecretManagers using AWS SDK, it gives exception - Unable to find valid certification path to requested target.

Can someone guide me what needs to be done?

Below is the source code 

public class AwsSecretManager {
public static AWSSecretManagerPojo getRedshiftCredentialsFromSecretManager(String secretName) throws JsonUtilityException, AwsSecretException {
    String secret = getSecret(secretName);
    // Gaurav added this.
    System.out.println("secret \n" + secret);
    if (!StringUtility.isNullOrEmpty(secret)) {
        AWSSecretManagerPojo AWSSecretManagerPojo = GsonUtility.getInstance().fromJson(secret, AWSSecretManagerPojo.class,
                EdelweissConstant.GSON_TAG);


        return AWSSecretManagerPojo;
    } else {
        throw new AwsSecretException("unable to get redshift credentials from aws secret manager");
    }
}

private static String getSecret(String secretName) {
    // Gaurav commented below and manually supplied the secret as SSL issue is there.

    String region = EdelweissConstant.AWS_SECRET_MANAGER_REGION;
    AWSSecretsManager client = AWSSecretsManagerClientBuilder.standard()
            .withRegion(region)
            .build();
    String secret = null;
    GetSecretValueRequest getSecretValueRequest = new GetSecretValueRequest()
            .withSecretId(secretName);
    GetSecretValueResult getSecretValueResult = client.getSecretValue(getSecretValueRequest);
    if (getSecretValueResult.getSecretString() != null) {
        secret = getSecretValueResult.getSecretString();
    }


    return secret;
}

}enter image description here

user3343543
  • 143
  • 2
  • 14

2 Answers2

0

This question is a bit old but other answers to this topic were all programmatic and on a per-application basis which I didn't like, since I wanted this to work for all my applications. To anyone stumbling upon this, these are the steps that I took to fix this issue in my application.

  1. Download the AWS Root CAs from here. CA1 was good enough for me, but you may need others as well. Java requires the .der format one. You can also get the .pem file, but you'll need to convert it to .der. Note that the certificate from Amazon had a .cer extension, but it's still compatible.

  2. Verify that the certificate is legible for the Java keytool:

$ keytool -v -printcert -file AmazonRootCA1.cer
Certificate fingerprints:
         SHA1: <...>
         SHA256: <...>

  1. Optionally, verify the public key hash if you'd like (outside the scope of this answer, have a look here if you want).

  2. Import the certificate file to your Java keystore. You can do this for your entire JRE by using the keytool command as follows and answering yes when prompted:

keytool -importcert -alias <some_name> -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -file AmazonRootCA1.cer

If you've changed the default Java keystore pass (changeit), you'll obviously need to use that one instead.

After this your application should be able to connect to AWS without any certificate issues.

filpa
  • 3,651
  • 8
  • 52
  • 91
-1

I removed all the Amazon Certificates and just added ZScaler Root Certiicate. And it resolved the issue.

user3343543
  • 143
  • 2
  • 14
  • 3
    Where exactly did you add the Root Certificat and where did you get it from? I'm having a similar issue with Salesforce CLI and ZScaler and with more info I might be able to replicate your solution. – Schnaps Feb 02 '21 at 12:10
  • Please elaborate on the solution – M.M Dec 17 '21 at 04:20