Unable to load CA Certificate

Henry Wong
Tera Contributor

Hi,

 

I'm currently testing out MTLS connection to the PDI instance. Tried to create a new CA certificate in the "CA Certificate Chain" but when I submitted form with the PEM file, it gives an error. In the logs, there were the following entries:

 

Unable to perform the add or update action on CA Cert at this time. Please try again later.: java.net.ConnectException: Connection refused: java.base/sun.nio.ch.Net.pollConnect(Native Method)
java.base/sun.nio.ch.Net.pollConnectNow(Net.java:672)
java.base/sun.nio.ch.NioSocketImpl.timedFinishConnect(NioSocketImpl.java:554)

...

Failed to load truststore.: java.security.KeyStoreException: Failed to load truststore.: com.glide.sys.authenticate.MutualAuthCertificateValidator.lambda$loadTomcatTrustStore$0(MutualAuthCertificateValidator.java:271)
java.base/java.util.Optional.orElseThrow(Optional.java:403)

...

Mismatching key store [Tomcat] type. Expected: PKCS12, found: bcfks: no thrown error

 

Not sure if there are certain configurations that I have missed out in the PDI instance?

 

Thanks.

 

Regards,

Henry.

2 REPLIES 2

Ct111
Giga Sage

The errors you are getting mean this,

 

Connection Refused (java.net.ConnectException):

This suggests that the PDI instance is unable to connect to the target service. Check if the service you're trying to connect to is running
and reachable from your instance (e.g., firewall settings, network connectivity).


Failed to Load Truststore (KeyStoreException):

This indicates an issue with loading the truststore where certificates are stored.
The PDI instance might not be able to load the truststore due to incorrect configuration or missing certificates.


Mismatching Key Store Type (PKCS12 vs. BCFKS):

The error suggests there's a mismatch in key store type. It seems your PDI instance is expecting a PKCS12 format, but the key store you're providing is in bcfks format.

 

 

I hope the above information helps.

dougw
Tera Expert

I may be wrong but I'm pretty sure mTLS requires ADCv2, which a PDI will not support.