search

OHDSI / WebAPI

OHDSI WebAPI contains all OHDSI services that can be called from OHDSI applications
Apache License 2.0
128 stars 166 forks source link

Certificate to the Java certificate store #2327

Open davidhcar opened 10 months ago

davidhcar commented 10 months ago

Expected behavior

Set up maven with ca-certificates-java by bringing maven certificate to the local java certificate store at '/etc/ssl/certs/java/cacerts' Never experienced this error before with the docker build.

Thank you in advance!!

Actual behavior

Setting up ca-certificates-java (20190405) ... 59.29 head: cannot open '/etc/ssl/certs/java/cacerts' for reading: No such file or directory 59.53 Exception in thread "main" java.lang.InternalError: Error loading java.security file 59.53 at java.base/java.security.Security.initialize(Security.java:94) 59.53 at java.base/java.security.Security$1.run(Security.java:79) 59.53 at java.base/java.security.Security$1.run(Security.java:77) 59.53 at java.base/java.security.AccessController.doPrivileged(Native Method) 59.53 at java.base/java.security.Security.(Security.java:77) 59.53 at java.base/sun.security.jca.ProviderList.(ProviderList.java:176) 59.53 at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:94) 59.53 at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:92) 59.53 at java.base/java.security.AccessController.doPrivileged(Native Method) 59.53 at java.base/sun.security.jca.ProviderList.fromSecurityProperties(ProviderList.java:91) 59.53 at java.base/sun.security.jca.Providers.(Providers.java:54) 59.53 at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:156) 59.53 at java.base/java.security.cert.CertificateFactory.getInstance(CertificateFactory.java:193) 59.53 at org.debian.security.KeyStoreHandler.(KeyStoreHandler.java:50) 59.53 at org.debian.security.UpdateCertificates.(UpdateCertificates.java:65) 59.53 at org.debian.security.UpdateCertificates.main(UpdateCertificates.java:51) 59.54 dpkg: error processing package ca-certificates-java (--configure): 59.54 installed ca-certificates-java package post-installation script subprocess returned error exit status 1 59.54 Setting up default-jre-headless (2:1.11-71) ... 59.58 dpkg: dependency problems prevent configuration of openjdk-11-jre-headless:amd64: 59.58 openjdk-11-jre-headless:amd64 depends on ca-certificates-java (>= 20190405~); however: 59.58 Package ca-certificates-java is not configured yet.

Steps to reproduce behavior

Build WebAPI 2.13 release with Docker image

davidhcar commented 9 months ago

@anthonysena @chrisknoll Any idea? It looks like the maven ohdsi repo certificate store is unable to to trust to bring the certificate to local java certificate store at this path, '/etc/ssl/certs/java/cacerts'

Appreciate your responses. Thank you!

chrisknoll commented 9 months ago

Would need @alondhe to chime in.

davidhcar commented 9 months ago

@alondhe Appreciate your insights, on what might have changed.

anthonysena commented 9 months ago

From discussion on the Atlas WG, we had noted that there is a recent change to Broadsea that might be helpful: https://github.com/OHDSI/Broadsea/commit/1aad75b649c8bf25ebe9fd750b4589caab4966b2

alondhe commented 8 months ago

Sorry for the delay, December was crazy. In Broadsea develop branch, we have made changes to how to use cacerts files:

https://github.com/OHDSI/Broadsea/tree/develop?tab=readme-ov-file#bring-your-own-cacerts-java-keystore-for-ldap-and-snowflake-connections

We don't have coverage of how to generate your cacerts file, but you can find that in many articles online. Generate it (or copy it) on a system in your network that has the proper trusts and then point to it using env variable WEBAPI_CACERTS_FILE.