Setup Secure SSL using self-signed certificates

Sean Leoszko
Sean Leoszko Experian Contributor
edited December 2023 in General

Is anyone able to provide some clear instructions on how to generate and install a self signed certificate with Aperture?

I have tried to do it myself but Aperture is still throwing the following error:

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Best Answers

  • Sean Leoszko
    Sean Leoszko Experian Contributor
    Answer ✓

    Thanks Henry, I was after the third option. This was just for my personal instance of Aperture so I wanted to be able to have a secure HTTPS connection of Aperture.

    I figured out how to do this, the steps below worked for me:

    1. Open up Powershell in administration mode
    2. Run the following command to generate a private key: "openssl genrsa -des3 -out myCA.key 2048"
    3. Run the following command to generate a root certificate: "openssl req -x509 -new -nodes -key myCA.key -sha256 -days 825 -out myCA.pem"
    4. Run the following command to generate a private key: "openssl genrsa -out <machine name>.key 2048"
    5. Run the following command to create a certificate signing request (CSR): "openssl req -new -key <machine name>.key -out <machine name>.csr"
    6. In Notepad create the following file and name it <machine name>.ext

    authorityKeyIdentifier=keyid,issuer

    basicConstraints=CA:FALSE

    keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

    subjectAltName = @alt_names

    [alt_names]

    DNS.1 = <machine name> # Be sure to include the domain name here because Common Name is not so commonly honoured by itself

    DNS.2 = aperturev2.local # Optionally, add additional domains (I've added a subdomain here)

    IP.1 = <local IP address> # Optionally, add an IP address (if the connection which you have planned requires it)

    7. Run the following command to create a signed certificate: "openssl x509 -req -in <machine name>.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out <machine name>.crt -days 825 -sha256 -extfile <machine name>.ext"

    8. In the start menu, search certificate and click "Manage computer certificate"


    9. Drill down into Personal, right click the Certificates folder, navigate to All Tasks>Import

    10. Import both the .crt and .pem files into this directory

    11. Highlight both certificates (They should be under the Machine name), right-click and select Copy

    12. Paste them into the Trusted Root Certificate directory

    13. Install the crt certificate into Aperture using the standard SSL steps (https://docs.experianaperture.io/data-quality/aperture-data-studio-v2/set-up/install-data-studio-on-windows/#change-the-port-number-and-apply-an-ssl-certificate).

    14. Restart Aperture and close down Chrome

    15.Open with a secure connection:


«1

Answers

  • Sean Leoszko
    Sean Leoszko Experian Contributor

    To add more information for the question. I understand the steps on how to install a certificate are included here (https://docs.experianaperture.io/data-quality/aperture-data-studio-v2/set-up/install-data-studio-on-windows/#change-the-port-number-and-apply-an-ssl-certificate). I am after steps on how do you generate a self signed certificate that will work with these instructions and secure the connection. At the moment, I am getting errors and its not secure.

  • Henry Simms
    Henry Simms Administrator
    That's great @"Sean Leoszko" , thanks for adding the steps. Just as a reminder for others, this is good for a demo or test set-up, but typically certificates will be signed by a trusted CA (or intermediate CA with a trusted CA cert at the root of the chain), or a private CA cert already used by an organization.

    If the certificate is only going to be used for Data Studio in Chrome, I'd also recommend only importing the myCA.pem as an Authority in your Chrome settings (Settings > Manage certificates > Authorities > Import), rather than the system's Trusted Root Certificate directory.
  • @Henry Simms I am trying to get Find Duplicates API http://localhost:8443/swagger-ui/index.html to have secure connection as well, I have already changed the port in Data Studio Config file.

    I have followed the following steps mentioned in the documentation,

    If you already have a PKCS12 (.pkcs12, .pfx, or .p12) file containing the certificate chain and private key, this can be used as the keystore for SSL configuration.

    1. Navigate to the Find Duplicates installation directory and open the find_duplicates.properties file.
    2. Set the server.ssl.enabled property to true.
    3. Uncomment the remaining lines (remove the initial # character) and populate with your keystore settings:
    server.ssl.enabled=true
    server.ssl.key-alias=your_key_alias
    server.ssl.key-store=file:///path/to/my/certificate.pfx
    server.ssl.key-store-type=PKCS12
    server.ssl.key-store-password=yourKeyStorePassword
    server.ssl.key-password=yourKeyPassword
    
    1. See below for an explanation of each property.
    2. server.ssl.key-alias: The alias for the server key and certificate in the keystore. If the keystore only contains one key this property can be omitted.
    3. server.ssl.key-store: The pathname of the keystore file in URI format. If the keystore file is in the Find duplicates installation directory only the filename is required. To specify an absolute file path the file URI scheme format must be used: file://[hostname]/path. The hostname may be omitted if the path is local to the Find Duplicates server. Any spaces in the path must be replaced by their HTML equivalent, and on Windows backslash characters must be replaced by forward slashes. For example, a local keystore file path of C:\Find duplicates\certificate.pfx would be formatted as file:///C:/Find%20duplicates/certificate.pfx.
    4. server.ssl.key-store-type: The keystore certificate format. If omitted this defaults to JKS.
    5. server.ssl.key-store-password: The password to access the keystore file.
    6. server.ssl.key-password: The keystore certificate password. Typically this is identical to the keystore password, in which case it can be omitted.
    7. To see a list of additional configurable SSL properties refer to the # EMBEDDED SERVER CONFIGURATION section of the Spring Boot Common application properties documentation.
    8. Open the Find Duplicates.ini file and find the line starting with Virtual Machine Parameters=. Find the server.port setting and updated it to your preferred port. The default SSL port is 8443.
    9. Restart the Find Duplicates service.

    Test the connection by browsing to https://localhost:{port}/swagger-ui/index.html using the port number configured above.

    Using a private CA root certificate

    The JRE used by Data Studio will validate certificate trust. By default, the certificate must have a valid trust chain referencing a public Certificate Authority (CA). If a private CA is used to create the certificate, it must be added to the Java truststore being used by Data Studio. This can be by running the following command on the machine where Data Studio is installed:

    C:\Program Files\Experian\Aperture Data Studio {version number}\java64\jre\bin\keytool.exe -import -trustcacerts -alias myCA -file "path\to\myCA.pem" -keystore "path\to\cacerts"

    The cacerts can be found in the certificates folder of the Data Studio repository (by default, C:\ApertureDataStudio\certificates).

    The default password for the cacerts truststore is changeit.


    last part of using CA root, I have done successfully, yet still SSL on port 8443 is not working.


    Also what do I need to do if I want to use Find Duplicates remotely apart from the server I have installed on. Can you also direct towards the documentation that explains that as well.


    thanks.

  • @Sean Leoszko the part you have mention in the separate link, I have already done. Aperture DS is already on SSL, I need to get Find Duplicates on SSL too. please look into it if you can help.

  • Henry Simms
    Henry Simms Administrator

    Hi @HussainSyed , it looks like you're following the correct steps to configure an HTTPS connection for the Find Duplicates Windows Service.

    If SSL on port 8443 is not currently working, what do you see? Does the service fail to start up, serve on the wrong port, or just not appear as an encrypted connection?

    Once you've got the secure connection working from localhost (tested by browsing to https://localhost:{port}/swagger-ui/index.html), you can test from other servers using the hostname (e.g. https://HOSTNAME:{port}/swagger-ui/index.html - ensure that the relevant port is open on the Find Dupes host machine). Then use the remote Find Dupes service in Data Studio, by enabling "Remote find duplicates server." and entering the hostname and port.

  • Services are running fine after I make the change and below link is also working, just not appearing as Secure connection.

    I even placed the pfx file in the same Find Duplicates folder so that I don't have to write full path.

     https://localhost:{port}/swagger-ui/index.html  

  • Henry Simms
    Henry Simms Administrator

    Hi @HussainSyed

    Have a look in the findDuplicates.log (in the Find Dupes installation directory, by default: "C:\Program Files\Experian\Find Duplicates\logs") to see if there's an error that indicates what's going wrong.

    For example, when I use an incorrect passphrase for my SSL cert configured with Find Dupes it's reported in the log on service startup:

    Caused by: java.io.IOException: keystore password was incorrect
    	at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2079) ~[?:1.8.0_302]
    

    My find_duplicates.properties file:

    server.ssl.enabled=true
    #server.ssl.key-alias=
    server.ssl.key-store=file:///C:/ssl%20certs/finddupes.p12
    #server.ssl.key-store-type=
    server.ssl.key-store-password=MyPa55word
    #server.ssl.key-password=
    

    If you're still having problems I would recommend contacting your local support team, who will be able to help: https://docs.experianaperture.io/more/contact-support

  • thank you for response.


    Error thrown is:

    Caused by: java.io.IOException: Failed to load keystore type [pfx] with path [file:/C:/Program%20Files/Experian/Find%20Duplicates/apertureFindDup.pfx] due to [pfx not found]

    server.ssl.enabled=true

    #server.ssl.key-alias=aperture_elisa_fi

    server.ssl.key-store=file:///C:/Program%20Files/Experian/Find%20Duplicates/apertureFindDup.pfx

    server.ssl.key-store-type=pfx

    server.ssl.key-store-password=mypass

    #server.ssl.key-password=

    if I comment the key-store-type parameter, the service runs and the link https://localhost:8443/swagger-ui/index.html

    runs fine but with unsecure connection, SSL not applied.

    pfx file is in the same folder as find duplicates installation.

  • also if the file is in the same folder as find duplicates installation, I tried giving just the file name after file:///apertureFindDup.pfx

    still couldn't find the file.

    so only changing the port in find duplicates ini file .. just changes the port to url with unsecure https. nothing else is happening.

  • Henry Simms
    Henry Simms Administrator
    I think the problem here is the value of server.ssl.key-store-type

    The options are JKS or PKCS12 (https://www.baeldung.com/spring-boot-https-self-signed-certificate#configuring-ssl-properties).

    In your case, the pfx is a PKCS12
  • it still didn't work after changing the type to PKCS12,

    Also if I want to download previous release of aperture data studio, where can I find those? as I can find latest on this page

    but what if one needs the previous versions?

    @Henry Simms ..

  • Henry Simms
    Henry Simms Administrator

    Hi @HussainSyed , after changing the server.ssl.key-store-type do you get a different error message in the findDuplicates.log?

    I think the best approach, if you haven't already, would be to raise a support case to get direct help on this one from out team.

  • Sueann See
    Sueann See Experian Super Contributor

    hi @HussainSyed can you try

    server.ssl.key-store=file://C:/Program%20Files/Experian/Find%20Duplicates/apertureFindDup.pfx

    (Note: use file:// instead of file:///)

    or if the file is in the same folder use

    apertureFindDup.pfx

    (without the file:///)

    If this still doesn't work, please go ahead and raise a case for further investigation.

  • HussainSyed
    HussainSyed Member
    edited March 2022

    thank you,

    Right now SSL is second priority for us, as we are facing issue with Find Duplicates not being able to work with remote server where ADS is installed ..

    apparently aperture data studio cannot connect with find duplicates on the other server.

    Find duplicatesCan't connectN/AServer location: Remote (


    i-2.6.9/)


    log file for Find duplicates

    I am facing the following error on Find Duplicates:

    ERROR 2022-03-18 16:57:42,745 [http-nio-8080-exec-2] com.experian.match.rest.api.service.license.LicenseManagerOnPrem:validateLicense(91): Find Duplicates is unlicensed

    Also my server where I have aperture data studio installed cannot connect to Find Duplicates ..

    erro on remote server where ASD is installed:

    Find duplicatesCan't connectN/AServer location: Remote

    i-2.6.9/)

    Please help if you think I have missed some step.

  • @Sueann See I have tried just mentioning the pfx file.

    it did not work. but I will retrace the step one more time. or raise ticket with Experian Support.

  • workflow steps setting ...


    path: match-rest-api-3.6.12

  • Henry Simms
    Henry Simms Administrator
    edited March 2022

    Hi @HussainSyed

    Are you able to access http://yourIP:8080/swagger-ui/index.html ?

    From Data Studio, if you've installed the Find Dupes service you can leave the "Path" blank:


  • yes, I am able to access swagger ui .. from server where find duplicated is installed.

    My question is do I need to apply the license again for find duplicates ?