Get self-signed certificates to work with Cloud Foundry Integration for Eclipse Plug-In
If your like myself you use self-signed certificates in your lab environment, as its quick and easy. In my Pivotal Cloud Foundry lab I have generated a self-signed certificate in the Elastic Runtime configuration. When you have a self-signed certificate you add --skip-ssl-validation to your cf api and cf login commands.
With the latest builds of the Cloud Foundry Integration for Eclipse Plug-In, self-signed certificates have an issue. They will generate an error with something to the effect of:
If your like myself you use self-signed certificates in your lab environment, as its quick and easy. In my Pivotal Cloud Foundry lab I have generated a self-signed certificate in the Elastic Runtime configuration. When you have a self-signed certificate you add --skip-ssl-validation to your cf api and cf login commands.
With the latest builds of the Cloud Foundry Integration for Eclipse Plug-In, self-signed certificates have an issue. They will generate an error with something to the effect of:
Caused by: sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
It will ask you if you wish to ignore this, but regardless the integration will fail, and it won't be able to validate your credentials, and so you will have no Cloud Foundry integration.
I really like the Cloud Foundry integration in Eclipse so I set off on a way to figure out how to make it work. Originally I tried an older version of the plug-in, version 1.7.3, which appeared to work. I was using this with PCF 1.4.0.0 which has just been released. I removed an application however, and when it did, I believe it removed my apps_manager application which exists in the system org. I know this sounds weird, because 1) the plug-in should not be removing the apps_manager service under any circumstances, 2) even if it wanted to, my credentials I used in Spring Tool Suite did not have the authority to remove an app from the system org. I did not spend a lot of time looking into this, I just noticed that I removed an application, and all the sudden my developer console was gone. (Developer Console is now known as Apps Manager).
To get the integration to work you need to add the self-signed certificate from your PCF to your Java keystore. Its important to understand which version of Java your running, you may have several versions of Java installed. Typically the version that is being used is defined by $JAVA_HOME, but you'll want to verify with STS/Eclipse which version its using or maybe add the certificate to all your versions.
I use a Mac, and typically the original Java installed by Apple is in /System/Library/Java/JavaVirtualMachines. For example my system has like so:nettles:~ bfeeny$ ls /System/Library/Java/JavaVirtualMachines/1.6.0.jdk
This however is not the version I am using. When you install later versions, from Oracle for example, they are installed in /Library/Java/JavaVirtualMachines:
nettles:~ bfeeny$ ls /Library/Java/JavaVirtualMachines/jdk1.7.0_76.jdk
This is the one I am using, and it can be further verified by looking at my $JAVA_HOME:
nettles:~ bfeeny$ echo $JAVA_HOME/Library/Java/JavaVirtualMachines/jdk1.7.0_76.jdk/Contents/Home
Java stores its trusted certificates in a keystore, which on my system is located at
$JAVA_HOME/jre/lib/security/cacerts
The first thing to do is extract the self-signed certificate from your Cloud Foundry, an easy way to do this is using openssl like so:
nettles:~ bfeeny$ openssl s_client -connect api.cf.lab.local:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/public.crt
depth=0 C = US, O = Pivotal, CN = *.cf.lab.localverify error:num=18:self signed certificateverify return:1depth=0 C = US, O = Pivotal, CN = *.cf.lab.localverify return:1DONE
We can verify its there:
nettles:~ bfeeny$ more /tmp/public.crt -----BEGIN CERTIFICATE-----MIIDHDCCAgSgAwIBAgIVAP1HgDzBrzGSFY9lUTvpeOl0fpxPMA0GCSqGSIb3DQEBBQUAMDgxCzAJBgNVBAYTAlVTMRAwDgYDVQQKDAdQaXZvdGFsMRcwFQYDVQQDA4qaLmNmLmxhYi5sb2NhbDAeFw0xNTA0MTUwMTQ0NTFaFw0xNzA0MTQwMTQ0NTFMDgxxCzAJBgNVBAYTAlVTMRAwDgYDVQQKDAdQaXZvdGFsMRcwFQYDVQQDDA4qLmNmLmxhYi5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMPL/JZ2EhqtkLzJn2mlS0XTURSdeaZvaSqdwMvm9Fg7UauC8pI5mAAxg/PEmlY5NXbXuOMrO6WKZLy3mQbCdhgw5JWc/qKJV9SQHP0Npn27mLjhiydo08kXv2IzKVwm5YfPkEw5u5SEGgPzSqQUIiziLuhpMr7ztir4OICvmj8u0LebpKXyO3y+deeibYNLislu/lrr9ZKD7ADgiM4tZH/c21HVf6cFz9eBbAoCqXY/Q+nZeRb2o4rxmDitojqf30WK9i+Qhqeu18QPX/EFRIhFrBCYs6YloUDBrPtVvZrOX7kp5zxBGC89+XmMmLUzFzkYpGld9Mfgl+En+ZQen4cCAwEAAaMdMBswGQYDVR0RBBIwEIIOKi5jZi5sYWIubG9jYWwwDQYJKoZIhvcNAQEFBQADggEBAJ+B6P2zkpWp8F7L5N/gRWwM2sumpXUJNwQU3m9ylM5U
yJOgifrk3f410LWsoifbs2Rd7re8NOV7Sud15gjCGI/Zw8mFJElSqd0HrPw0WFB/v55p/cNKgZJQ4bcpZ0Jp7Y7P7FzLcp76wAacljnbYGkXdxCsrtpUd/VxtNzOeIBPdbQQxW6Ph9cvSx/w28AaoU9DeoqZvOTnQu2Rltfn6lBPijWQWTEXltiS1WPCyyd+2Gnl+acnNerspdnHn1lte4ydDR+uq2hYnCJSrlMXaR5TAp3dpwMxtSHA71zkVS61VRU/vLLtyz3JzAmhGepZ6m2vt2vMNPNGKxVS0c/odNI=-----END CERTIFICATE-----
Of course, if you have access to the Ops Manager, you can just go into the Elastic Runtime tile and look at the IPs and Ports and grab the certificate from there, that is where you created it in the first place. There are two certificates listed, the first one is the public one, which is the one you want, and the second is the private. Whether you use openssl or just cut and paste it, the result should be the same.
Now you simply have to import the certificate into the Java keystore: nettles:~ bfeeny$ sudo keytool -import -alias api.cf.lab.local -keystore $JAVA_HOME/jre/lib/security/cacerts -file /tmp/public.crt Password: <enter your admin password here>Enter keystore password: <default password is changeit>Owner: CN=*.cf.lab.local, O=Pivotal, C=USIssuer: CN=*.cf.lab.local, O=Pivotal, C=USSerial number: fd47803cc1af3192158f65513be978e9747e9c4fValid from: Tue Apr 14 21:44:51 EDT 2015 until: Thu Apr 13 21:44:51 EDT 2017Certificate fingerprints:MD5: C4:DA:C3:02:B4:25:FC:A9:1E:A1:FB:3A:E0:F7:B5:ADSHA1: EB:A4:1E:A5:EA:D4:BE:7A:A3:CD:9B:D4:4D:BF:1F:1C:DD:97:52:EDSHA256: 12:7C:1E:69:32:D4:28:FE:6B:EE:2A:DE:91:FB:76:5E:A6:1F:29:DA:15:A5:4C:21:E8:4C:7383:BE:0A:78:77Signature algorithm name: SHA1withRSAVersion: 3Extensions: #1: ObjectId: 2.5.29.17 Criticality=falseSubjectAlternativeName < dnsname: *.cf.lab.local> dnsname: *.cf.lab.local>Trust this certificate? : yesCertificate was added to keystore After this is done, simply restart your Eclipse or Spring Tool Suite application, and it should now allow you to add a Cloud Foundry instance with no issue. If you have already added an instance, simply delete it and re-add it. Fill out your credentials, and all should validate properly. Update: I passed this onto Pivotal and they have added it to their Knowledge Base!
Recent Posts
See AllRecently I was working on a problem with Time Series. Time Series can quickly add up to a lot of data, as you are using previous...
One of the biggest bottlenecks in Deep Learning is loading data. having fast drives and access to the data is important, especially if...
import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hbase.HBaseConfiguration; import org.apache.hadoop.hbase.TableName;...
Comments