Keystore/Truststore Loading Failure for mantaConnectorsTruststore.pkcs12 during Tableau Extraction
Problem
mantaConnectorsTruststore.pkcs12
truststore/keystore containing the required certificates for the connector (in this case, Tableau) fails. The below associated ERROR message will be reflected in the
/mantaflow/cli/log/tableauExtractorScenario_<connection_name>.log
file.
2021-11-16 23:32:26.878 [main] 0 ERROR eu.profinit.manta.connector.http.client.AbstractHttpsProvider
PUBLIC_KEY_INFRASTRUCTURE_ERRORS KEY_STORE_TRUST_STORE_LOADING_FAILURE
User message: MANTA cannot load keystore/truststore on path "/opt/mantaflow/cli/scenarios/manta-dataflow-cli/etc/mantaConnectorsTruststore.pkcs12".
Technical message: Trust keystore/truststore on the path "/opt/mantaflow/cli/scenarios/manta-dataflow-cli/etc/mantaConnectorsTruststore.pkcs12" cannot be loaded. Either the file format is not supported, or the provided password is incorrect.
Solution: Verify that the keystore/truststore file is in the correct format and the provided password is correct.
Impact: UNDEFINED
java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
2021/11/16 23:57:17.532 AM [http-nio-9191-exec-9] ERROR - eu.profinit.manta.configuration.logic.controller.GlobalExceptionHandler [Context: admin - 2021-11-16T23:25:55.376-0500]
HTTP_CONNECTION_ERRORS - INTERNAL_SERVER_ERROR
User message: Internal server error occurred.
Technical message: Internal server error occurred: Keystore was tampered with, or password was incorrect.
Solution: This is a general message that a client (e.g. MANTA Flow CLI) retrieves from a server (e.g. MANTA Flow Server). You can find the origin of the issue in the server logs.
Lineage impact: UNDEFINED
java.io.IOException: Keystore was tampered with, or password was incorrect
Issue Verification
You can find and verify the root cause of this error by accessing and listing the mantaConnectorsTruststore.pkcs12
file contents to verify the keystore type using the Java keytool command. Before you begin, move to the <manta_cli_home>/scenarios/manta-dataflow-cli/etc
directory.
$ cd /<manta_cli_home>/scenarios/manta-dataflow-cli/etc
$ $JRE_HOME/bin/keytool -list -v -keystore mantaConnectorsTruststore.pkcs12 -storepass <truststore_password>
# NOTE: Default password is mantaConnectorsTruststore, or it may have no password at all
After successfully running the above command, locate the Keystore type: property near the top. If this value is set to JKS format, then the issue is being caused by a keystore file format mismatch and should be re-created as a PKCS12 format. Example output:
***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in your keystore *
* has NOT been verified! In order to verify its integrity, *
* you must provide your keystore password. *
***************** WARNING WARNING WARNING *****************
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
...
Solution
-
Ensure you have all the certificate file(s) that are in this truststore—as we will be recreating this truststore in the next steps, which removes all currently stored certificates. If you do not have the certificate file(s) (.crt, .cer, .cert, .pem, .der, etc.) already, you can export them from the current truststore (
mantaConnectorsTruststore.pkcs12
) to another accessible location on the host.$ $JRE_HOME/bin/keytool -export -alias <cert_alias> -file /<export_path_location>/<filename>.crt -keystore mantaConnectorsTruststore.pkcs12 -storepass <truststore_password>
-
Now, using Admin UI, recreate the truststore by going to Configuration → CLI → Tableau → Tableau Common → Connection section → Edit Truststore Settings
- Click the Recreate button next to the truststore path. Set the
Store File Type property to PKCS12, and then set the truststore password (if you want to use the default password, set it to:
mantaConnectorsTruststore
). Click Confirm.
- Click the Recreate button next to the truststore path. Set the
Store File Type property to PKCS12, and then set the truststore password (if you want to use the default password, set it to:
-
After the
mantaConnectorsTruststore.pkcs12
truststore file has been recreated with the correct keystore file type, you can click Add Entry to re-add and Load the original certificate file(s) back into it. -
Lastly, re-run your Tableau extraction/analysis workflow, which should now verify the connection and complete it properly. You should no longer see the error message(s) in the
tableauExtractorScenario_*.log
file.
2021-11-17 00:30:29.419 [main] 0 INFO eu.profinit.manta.connector.tableau.extractor.RestExtractorTableau Signing in to Tableau server...
2021-11-17 00:30:29.492 [main] 0 INFO eu.profinit.manta.connector.http.client.AbstractHttpsProvider Truststore mantaConnectorsTruststore.pkcs12 contains 2 self-signed certificates: [<cert_1>, <cert_2>]
2021-11-17 00:30:29.498 [main] 0 INFO eu.profinit.manta.connector.http.client.AbstractHttpsProvider Using truststore(s): [JRE default truststore, mantaConnectorsTruststore.pkcs12] (eu.profinit.manta.connector.http.client.DefaultHttpsProvider / TABLEAU_EXTRACTION)
2021-11-17 00:30:30.399 [main] 0 INFO eu.profinit.manta.connector.tableau.extractor.RestExtractorTableau Starting extraction...