Unable to load CA Certificate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-21-2025 08:00 PM
Hi,
I'm currently testing out MTLS connection to the PDI instance. Tried to create a new CA certificate in the "CA Certificate Chain" but when I submitted form with the PEM file, it gives an error. In the logs, there were the following entries:
Unable to perform the add or update action on CA Cert at this time. Please try again later.: java.net.ConnectException: Connection refused: java.base/sun.nio.ch.Net.pollConnect(Native Method)
java.base/sun.nio.ch.Net.pollConnectNow(Net.java:672)
java.base/sun.nio.ch.NioSocketImpl.timedFinishConnect(NioSocketImpl.java:554)
...
Failed to load truststore.: java.security.KeyStoreException: Failed to load truststore.: com.glide.sys.authenticate.MutualAuthCertificateValidator.lambda$loadTomcatTrustStore$0(MutualAuthCertificateValidator.java:271)
java.base/java.util.Optional.orElseThrow(Optional.java:403)
...
Mismatching key store [Tomcat] type. Expected: PKCS12, found: bcfks: no thrown error
Not sure if there are certain configurations that I have missed out in the PDI instance?
Thanks.
Regards,
Henry.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-21-2025 08:21 PM
The errors you are getting mean this,
Connection Refused (java.net.ConnectException):
This suggests that the PDI instance is unable to connect to the target service. Check if the service you're trying to connect to is running
and reachable from your instance (e.g., firewall settings, network connectivity).
Failed to Load Truststore (KeyStoreException):
This indicates an issue with loading the truststore where certificates are stored.
The PDI instance might not be able to load the truststore due to incorrect configuration or missing certificates.
Mismatching Key Store Type (PKCS12 vs. BCFKS):
The error suggests there's a mismatch in key store type. It seems your PDI instance is expecting a PKCS12 format, but the key store you're providing is in bcfks format.
I hope the above information helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-15-2025 02:56 PM
I may be wrong but I'm pretty sure mTLS requires ADCv2, which a PDI will not support.