Keystore source URL - Failed to get JWK Keys
Hi,
I am simply creating a Keystore rule for Google APIs, but getting an error "Keystore source URL - Failed to get JWK Keys" as below screenshot and can't save the rule. What is the cause?
PegaRULES log:
2020-06-16 08:35:12,650 [http-nio-8080-exec-8] [TABTHREAD2] [ ] [ MyApp:01.01.01] (nternal.util.KeyStoreUtilsImpl) ERROR localhost| Proprietary information hidden developer1 - Failed to get JWK Keys javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Thanks,
Pegasystems Inc.
JP
Hi,
Another way to do it is to upload a file, instead of reference directly to URL.
1. Go to https://www.googleapis.com/oauth2/v3/certs by browser. Copy the entire strings into a text file.
2. Select Upload file from auto complete.
3. Upload a file. Then type "JWK" in the Keystore type. Save.
Thanks,
Publicis Sapient
SG
Hi,
Tried doing the same multiple times, But it din't work for me. Getting the same (OIDC flow error) again.
Updated: 21 Jun 2021 4:14 EDT
Pegasystems Inc.
JP
Hi,
Indeed, I've just noticed that my solution above does not work out for myself either. The reason that this error is thrown is because the Pega app server JVM does not have the certificate from the external identity server in its TrustStore. The resolution is to add the full certificate chain (ROOT and intermediate) to the Pega app server JVM cacerts. Please see below the detailed steps.
1. Go to https://www.googleapis.com/oauth2/v3/certs and click the key icon at the left of URL. Click on Certificate from the menu.
2. On "Certificate path" tab, select the ROOT path "caadmin.netskope.com" and click on "Display certificate" button.
3. On "Detail" tab, click on "Copy to File" button.
Hi,
Indeed, I've just noticed that my solution above does not work out for myself either. The reason that this error is thrown is because the Pega app server JVM does not have the certificate from the external identity server in its TrustStore. The resolution is to add the full certificate chain (ROOT and intermediate) to the Pega app server JVM cacerts. Please see below the detailed steps.
1. Go to https://www.googleapis.com/oauth2/v3/certs and click the key icon at the left of URL. Click on Certificate from the menu.
2. On "Certificate path" tab, select the ROOT path "caadmin.netskope.com" and click on "Display certificate" button.
3. On "Detail" tab, click on "Copy to File" button.
4. This will bring up a certificate export wizard. Keep the defaulted option "DER encoded binary X.509 (.CER)" and click next.
5. Specify the file path. The file name is arbitrary.
6. Wizard is completed. The file is exported.
7. Do the steps from 2 to 6 for intermediate path "ca.pega.goskope.com". The 2nd file has to be exported as well.
8. Now, we need to add these certificates to JVM cacerts. In order to do this, you can download open source GUI tool called "Keystore Explorer" from https://keystore-explorer.org/.
9. Install the tool and launch it. You may have to run it as Administrator or you may not be able to save it in a later step. Click on "Open an existing KeyStore".
10. Specify "cacerts" file under %JRE_HOME%\lib\security directory.
11. The initial password of the cacerts keystore file is "changeit".
12. cacerts is opened as below.
13. From Tools menu, select "Import Trusted Certificate" and import two files exported above.
14. Make sure below two lines are added in the list, and save it.
- caadmin.netskope.com
- ca.pega.goskope.com
15. That's it. Now configure Data-Admin-Security-KeyStore as below and test if you can save this instance without an error.
- Reference:
https://community.pega.com/support/support-articles/failed-get-jwk-keys-error
Thanks,