Keystore/Truststore Loading Failure for mantaConnectorsTruststore.pkcs12 during Tableau Extraction

Problem

When running an extraction scenario, the loading of the mantaConnectorsTruststore.pkcs12 truststore/keystore containing the required certificates for the connector (in this case, Tableau) fails. The below associated ERROR message will be reflected in the /mantaflow/cli/log/tableauExtractorScenario_<connection_name>.log file.
2021-11-16 23:32:26.878 [main] 0 ERROR eu.profinit.manta.connector.http.client.AbstractHttpsProvider
PUBLIC_KEY_INFRASTRUCTURE_ERRORS KEY_STORE_TRUST_STORE_LOADING_FAILURE
User message: MANTA cannot load keystore/truststore on path "/opt/mantaflow/cli/scenarios/manta-dataflow-cli/etc/mantaConnectorsTruststore.pkcs12".
Technical message: Trust keystore/truststore on the path "/opt/mantaflow/cli/scenarios/manta-dataflow-cli/etc/mantaConnectorsTruststore.pkcs12" cannot be loaded. Either the file format is not supported, or the provided password is incorrect.
Solution: Verify that the keystore/truststore file is in the correct format and the provided password is correct.
Impact: UNDEFINED
java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
You may also see the additional error below in conjunction with the above error message, indicating that the keystore has been tampered with or the password is incorrect.
2021/11/16 23:57:17.532 AM [http-nio-9191-exec-9] ERROR - eu.profinit.manta.configuration.logic.controller.GlobalExceptionHandler [Context: admin - 2021-11-16T23:25:55.376-0500]
HTTP_CONNECTION_ERRORS - INTERNAL_SERVER_ERROR
User message: Internal server error occurred.
Technical message: Internal server error occurred: Keystore was tampered with, or password was incorrect.
Solution: This is a general message that a client (e.g. MANTA Flow CLI) retrieves from a server (e.g. MANTA Flow Server). You can find the origin of the issue in the server logs.
Lineage impact: UNDEFINED
java.io.IOException: Keystore was tampered with, or password was incorrect

Issue Verification

You can find and verify the root cause of this error by accessing and listing the mantaConnectorsTruststore.pkcs12 file contents to verify the keystore type using the Java keytool command. Before you begin, move to the <manta_cli_home>/scenarios/manta-dataflow-cli/etc directory.

$ cd /<manta_cli_home>/scenarios/manta-dataflow-cli/etc
$ $JRE_HOME/bin/keytool -list -v -keystore mantaConnectorsTruststore.pkcs12 -storepass <truststore_password>

# NOTE: Default password is mantaConnectorsTruststore, or it may have no password at all

After successfully running the above command, locate the Keystore type: property near the top. If this value is set to JKS format, then the issue is being caused by a keystore file format mismatch and should be re-created as a PKCS12 format. Example output:

  *****************  WARNING WARNING WARNING  *****************
  * The integrity of the information stored in your keystore  *
  * has NOT been verified!  In order to verify its integrity, *
  * you must provide your keystore password.                  *
  *****************  WARNING WARNING WARNING  *****************

  Keystore type: JKS
  Keystore provider: SUN

  Your keystore contains 2 entries
  ...

Solution

Important: The mantaConnectorsTruststore.pkcs12 truststore file is shared by all other technologies that require communication over SSL/TLS. Therefore, when you change the truststore password for one, please be sure to update the truststore password property to the new/updated password for all other technologies utilizing SSL communication in *Admin UI → Configuration → CLI* (i.e., Tableau, Alation, OBIEE, StreamSets, Collibra, IBM IGC, and Informatica).
  1. Ensure you have all the certificate file(s) that are in this truststore—as we will be recreating this truststore in the next steps, which removes all currently stored certificates. If you do not have the certificate file(s) (.crt, .cer, .cert, .pem, .der, etc.) already, you can export them from the current truststore ( mantaConnectorsTruststore.pkcs12) to another accessible location on the host.

    $ $JRE_HOME/bin/keytool -export -alias <cert_alias> -file /<export_path_location>/<filename>.crt -keystore mantaConnectorsTruststore.pkcs12 -storepass <truststore_password>
    
  2. Now, using Admin UI, recreate the truststore by going to Configuration → CLI → Tableau → Tableau Common → Connection section → Edit Truststore Settings

    1. Click the Recreate button next to the truststore path. Set the Store File Type property to PKCS12, and then set the truststore password (if you want to use the default password, set it to: mantaConnectorsTruststore). Click Confirm.
  3. After the mantaConnectorsTruststore.pkcs12 truststore file has been recreated with the correct keystore file type, you can click Add Entry to re-add and Load the original certificate file(s) back into it.

  4. Lastly, re-run your Tableau extraction/analysis workflow, which should now verify the connection and complete it properly. You should no longer see the error message(s) in the tableauExtractorScenario_*.log file.

  2021-11-17 00:30:29.419 [main] 0 INFO  eu.profinit.manta.connector.tableau.extractor.RestExtractorTableau Signing in to Tableau server...
  2021-11-17 00:30:29.492 [main] 0 INFO  eu.profinit.manta.connector.http.client.AbstractHttpsProvider Truststore mantaConnectorsTruststore.pkcs12 contains 2 self-signed certificates: [<cert_1>, <cert_2>]
  2021-11-17 00:30:29.498 [main] 0 INFO  eu.profinit.manta.connector.http.client.AbstractHttpsProvider Using truststore(s): [JRE default truststore, mantaConnectorsTruststore.pkcs12] (eu.profinit.manta.connector.http.client.DefaultHttpsProvider / TABLEAU_EXTRACTION)
  2021-11-17 00:30:30.399 [main] 0 INFO  eu.profinit.manta.connector.tableau.extractor.RestExtractorTableau Starting extraction...