Setup Secure SSL using self-signed certificates

Sean Leoszko

Is anyone able to provide some clear instructions on how to generate and install a self signed certificate with Aperture?

I have tried to do it myself but Aperture is still throwing the following error:

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Henry Simms

Hi @Sean Leoszko , can you say a bit more about the type of certificate you want to generate, and how you want to use it.

To explain the differences it's useful to understand the purpose of SSL certificates:

1. To encrypt sensitive information sent across the network between the client (e.g. browser) and the server.
2. To provide authentication. Specifically, to identify your server and protect your clients from things like man-in-the-middle attacks.

There are three types of certificate you might use:

Data Studio comes with its own self-signed certificate, which is what's used when you select "use SSL" from the server settings. You'll usually change the port to 443 as well. A self-signed certificate is not signed by any certificate authority (CA), and certificates like this will provide encryption but not authentication (or rather it places the burden of verifying trust on the user explicitly). You'll see a "your connection is not private" warning in your browser telling you that the connection is not safe. If you generate your own self-signed certificate it will behave in the same way.

You could also request and apply a certificate signed by a trusted certificate authority (CA) to both enable encryption of client-server communications and identify your server to clients. If you want your Data Studio instance to be available to the general public via the internet, you'd want to use a certificate from a public CA to initiate secure and “trusted” communication.

You may actually want something in between: a certificate issued by a private (internal) CA. A private CA is typically enterprise-specific and used for internal servers on a private network. These certificates are not publicly trusted. In this scenario, in order to achieve trust (authentication) an organization would generate a root certificate and then configure all clients (e.g. Chrome) to trust certificates signed by that root by installing it as a trusted root certificate authority.

The 3rd option, using a private CA, is the most common way Experian's clients secure Data Studio, and also the Find duplicates server. In this case, the client's IT team would typically provide the certificate, either as separate public certificate and private key files, or in a combined format like PKCS12.

Sean Leoszko

Thanks Henry, I was after the third option. This was just for my personal instance of Aperture so I wanted to be able to have a secure HTTPS connection of Aperture.

I figured out how to do this, the steps below worked for me:

1. Open up Powershell in administration mode
2. Run the following command to generate a private key: "openssl genrsa -des3 -out myCA.key 2048"
3. Run the following command to generate a root certificate: "openssl req -x509 -new -nodes -key myCA.key -sha256 -days 825 -out myCA.pem"
4. Run the following command to generate a private key: "openssl genrsa -out <machine name>.key 2048"
5. Run the following command to create a certificate signing request (CSR): "openssl req -new -key <machine name>.key -out <machine name>.csr"
6. In Notepad create the following file and name it <machine name>.ext

authorityKeyIdentifier=keyid,issuer

basicConstraints=CA:FALSE

keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

subjectAltName = @alt_names

[alt_names]

DNS.1 = <machine name> # Be sure to include the domain name here because Common Name is not so commonly honoured by itself

DNS.2 = aperturev2.local # Optionally, add additional domains (I've added a subdomain here)

IP.1 = <local IP address> # Optionally, add an IP address (if the connection which you have planned requires it)

7. Run the following command to create a signed certificate: "openssl x509 -req -in <machine name>.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out <machine name>.crt -days 825 -sha256 -extfile <machine name>.ext"

8. In the start menu, search certificate and click "Manage computer certificate"

9. Drill down into Personal, right click the Certificates folder, navigate to All Tasks>Import

10. Import both the .crt and .pem files into this directory

11. Highlight both certificates (They should be under the Machine name), right-click and select Copy

12. Paste them into the Trusted Root Certificate directory

13. Install the crt certificate into Aperture using the standard SSL steps (https://docs.experianaperture.io/data-quality/aperture-data-studio-v2/set-up/install-data-studio-on-windows/#change-the-port-number-and-apply-an-ssl-certificate).

14. Restart Aperture and close down Chrome

15.Open with a secure connection:

Sean Leoszko

To add more information for the question. I understand the steps on how to install a certificate are included here (https://docs.experianaperture.io/data-quality/aperture-data-studio-v2/set-up/install-data-studio-on-windows/#change-the-port-number-and-apply-an-ssl-certificate). I am after steps on how do you generate a self signed certificate that will work with these instructions and secure the connection. At the moment, I am getting errors and its not secure.

Henry Simms

That's great @"Sean Leoszko" , thanks for adding the steps. Just as a reminder for others, this is good for a demo or test set-up, but typically certificates will be signed by a trusted CA (or intermediate CA with a trusted CA cert at the root of the chain), or a private CA cert already used by an organization.

If the certificate is only going to be used for Data Studio in Chrome, I'd also recommend only importing the myCA.pem as an Authority in your Chrome settings (Settings > Manage certificates > Authorities > Import), rather than the system's Trusted Root Certificate directory.

HussainSyed

@Henry Simms I am trying to get Find Duplicates API http://localhost:8443/swagger-ui/index.html to have secure connection as well, I have already changed the port in Data Studio Config file.

I have followed the following steps mentioned in the documentation,

If you already have a PKCS12 (.pkcs12, .pfx, or .p12) file containing the certificate chain and private key, this can be used as the keystore for SSL configuration.

1. Navigate to the Find Duplicates installation directory and open the find_duplicates.properties file.
2. Set the server.ssl.enabled property to true.
3. Uncomment the remaining lines (remove the initial # character) and populate with your keystore settings:

server.ssl.enabled=true
server.ssl.key-alias=your_key_alias
server.ssl.key-store=file:///path/to/my/certificate.pfx
server.ssl.key-store-type=PKCS12
server.ssl.key-store-password=yourKeyStorePassword
server.ssl.key-password=yourKeyPassword

1. See below for an explanation of each property.
2. server.ssl.key-alias: The alias for the server key and certificate in the keystore. If the keystore only contains one key this property can be omitted.
3. server.ssl.key-store: The pathname of the keystore file in URI format. If the keystore file is in the Find duplicates installation directory only the filename is required. To specify an absolute file path the file URI scheme format must be used: file://[hostname]/path. The hostname may be omitted if the path is local to the Find Duplicates server. Any spaces in the path must be replaced by their HTML equivalent, and on Windows backslash characters must be replaced by forward slashes. For example, a local keystore file path of C:\Find duplicates\certificate.pfx would be formatted as file:///C:/Find%20duplicates/certificate.pfx.
4. server.ssl.key-store-type: The keystore certificate format. If omitted this defaults to JKS.
5. server.ssl.key-store-password: The password to access the keystore file.
6. server.ssl.key-password: The keystore certificate password. Typically this is identical to the keystore password, in which case it can be omitted.
7. To see a list of additional configurable SSL properties refer to the # EMBEDDED SERVER CONFIGURATION section of the Spring Boot Common application properties documentation.
8. Open the Find Duplicates.ini file and find the line starting with Virtual Machine Parameters=. Find the server.port setting and updated it to your preferred port. The default SSL port is 8443.
9. Restart the Find Duplicates service.

Test the connection by browsing to https://localhost:{port}/swagger-ui/index.html using the port number configured above.

Using a private CA root certificate

The JRE used by Data Studio will validate certificate trust. By default, the certificate must have a valid trust chain referencing a public Certificate Authority (CA). If a private CA is used to create the certificate, it must be added to the Java truststore being used by Data Studio. This can be by running the following command on the machine where Data Studio is installed:

C:\Program Files\Experian\Aperture Data Studio {version number}\java64\jre\bin\keytool.exe -import -trustcacerts -alias myCA -file "path\to\myCA.pem" -keystore "path\to\cacerts"

The cacerts can be found in the certificates folder of the Data Studio repository (by default, C:\ApertureDataStudio\certificates).

The default password for the cacerts truststore is changeit.

last part of using CA root, I have done successfully, yet still SSL on port 8443 is not working.

Also what do I need to do if I want to use Find Duplicates remotely apart from the server I have installed on. Can you also direct towards the documentation that explains that as well.

thanks.

HussainSyed

@Sean Leoszko the part you have mention in the separate link, I have already done. Aperture DS is already on SSL, I need to get Find Duplicates on SSL too. please look into it if you can help.

Henry Simms

Hi @HussainSyed , it looks like you're following the correct steps to configure an HTTPS connection for the Find Duplicates Windows Service.

If SSL on port 8443 is not currently working, what do you see? Does the service fail to start up, serve on the wrong port, or just not appear as an encrypted connection?

Once you've got the secure connection working from localhost (tested by browsing to https://localhost:{port}/swagger-ui/index.html), you can test from other servers using the hostname (e.g. https://HOSTNAME:{port}/swagger-ui/index.html - ensure that the relevant port is open on the Find Dupes host machine). Then use the remote Find Dupes service in Data Studio, by enabling "Remote find duplicates server." and entering the hostname and port.

HussainSyed

Services are running fine after I make the change and below link is also working, just not appearing as Secure connection.

I even placed the pfx file in the same Find Duplicates folder so that I don't have to write full path.

 https://localhost:{port}/swagger-ui/index.html  

Henry Simms

Hi @HussainSyed

Have a look in the findDuplicates.log (in the Find Dupes installation directory, by default: "C:\Program Files\Experian\Find Duplicates\logs") to see if there's an error that indicates what's going wrong.

For example, when I use an incorrect passphrase for my SSL cert configured with Find Dupes it's reported in the log on service startup:

Caused by: java.io.IOException: keystore password was incorrect
	at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2079) ~[?:1.8.0_302]

My find_duplicates.properties file:

server.ssl.enabled=true
#server.ssl.key-alias=
server.ssl.key-store=file:///C:/ssl%20certs/finddupes.p12
#server.ssl.key-store-type=
server.ssl.key-store-password=MyPa55word
#server.ssl.key-password=

If you're still having problems I would recommend contacting your local support team, who will be able to help: https://docs.experianaperture.io/more/contact-support

HussainSyed

thank you for response.

Error thrown is:

Caused by: java.io.IOException: Failed to load keystore type [pfx] with path [file:/C:/Program%20Files/Experian/Find%20Duplicates/apertureFindDup.pfx] due to [pfx not found]

server.ssl.enabled=true

#server.ssl.key-alias=aperture_elisa_fi

server.ssl.key-store=file:///C:/Program%20Files/Experian/Find%20Duplicates/apertureFindDup.pfx

server.ssl.key-store-type=pfx

server.ssl.key-store-password=mypass

#server.ssl.key-password=

if I comment the key-store-type parameter, the service runs and the link https://localhost:8443/swagger-ui/index.html

runs fine but with unsecure connection, SSL not applied.

pfx file is in the same folder as find duplicates installation.

HussainSyed

also if the file is in the same folder as find duplicates installation, I tried giving just the file name after file:///apertureFindDup.pfx

still couldn't find the file.

so only changing the port in find duplicates ini file .. just changes the port to url with unsecure https. nothing else is happening.

Henry Simms

I think the problem here is the value of server.ssl.key-store-type

The options are JKS or PKCS12 (https://www.baeldung.com/spring-boot-https-self-signed-certificate#configuring-ssl-properties).

In your case, the pfx is a PKCS12

HussainSyed

it still didn't work after changing the type to PKCS12,

Also if I want to download previous release of aperture data studio, where can I find those? as I can find latest on this page

https://community.experianaperture.io/discussion/493/aperture-data-studio-v2-downloads

but what if one needs the previous versions?

@Henry Simms ..

Henry Simms

Hi @HussainSyed , after changing the server.ssl.key-store-type do you get a different error message in the findDuplicates.log?

I think the best approach, if you haven't already, would be to raise a support case to get direct help on this one from out team.

Sueann See

hi @HussainSyed can you try

server.ssl.key-store=file://C:/Program%20Files/Experian/Find%20Duplicates/apertureFindDup.pfx

(Note: use file:// instead of file:///)

or if the file is in the same folder use

apertureFindDup.pfx

(without the file:///)

If this still doesn't work, please go ahead and raise a case for further investigation.

HussainSyed

thank you,

Right now SSL is second priority for us, as we are facing issue with Find Duplicates not being able to work with remote server where ADS is installed ..

apparently aperture data studio cannot connect with find duplicates on the other server.

Find duplicatesCan't connectN/AServer location: Remote (

i-2.6.9/)

log file for Find duplicates

I am facing the following error on Find Duplicates:

ERROR 2022-03-18 16:57:42,745 [http-nio-8080-exec-2] com.experian.match.rest.api.service.license.LicenseManagerOnPrem:validateLicense(91): Find Duplicates is unlicensed

Also my server where I have aperture data studio installed cannot connect to Find Duplicates ..

erro on remote server where ASD is installed:

Find duplicatesCan't connectN/AServer location: Remote

i-2.6.9/)

Please help if you think I have missed some step.

HussainSyed

@Sueann See I have tried just mentioning the pfx file.

it did not work. but I will retrace the step one more time. or raise ticket with Experian Support.

HussainSyed

workflow steps setting ...

path: match-rest-api-3.6.12

Henry Simms

Hi @HussainSyed

Are you able to access http://yourIP:8080/swagger-ui/index.html ?

From Data Studio, if you've installed the Find Dupes service you can leave the "Path" blank:

HussainSyed

yes, I am able to access swagger ui .. from server where find duplicated is installed.

My question is do I need to apply the license again for find duplicates ?