How can the update of ssl certificates be automated ?

Using Elektron SDK Java we can download and update the certificates manually using function

openssl s_client -connect chp02-emea1.thomsonreuters.com:443
openssl s_client -connect chp02-emea2.thomsonreuters.com:443

We would need to understand how we can automate this or why your client library doesn’t validate the certificate automatically.

What is the best practice? Or does your library have an option to disable certificate validation completely?

Find more posts tagged with

elektron

ssl

elektron-sdk

refinitiv-realtime

Accepted answers

Gurpreet

Hi @hilke.prillwitz seems like you are connecting to Refinitiv Contributions Channel using EMA Java. There are a few things to note in this regards.

1. The production and test endpoint URL's have changed. Please refer Contribution Channel technical documents to get the new endpoints. Also subscribe to PCN's to get future notifications.

2. The certificate has to be imported into the keystore file once - first time only. For successful runs, the same keystore file will suffice. The server certificate is not changing on daily or weekly basis. Please see this article on how to build a keystore file for Java and this tutorial on Posting data to Contributions Channel on how to manually import RCC certificate into the keystore file (required for old version of Java only).

3. There is no option to drop to a less secure connection. You might be able to disable certificate validation, but that is a Java thing. Not something that EMA API does. You can view the EMA API source code on the github.

All comments

Gurpreet

Hi @hilke.prillwitz seems like you are connecting to Refinitiv Contributions Channel using EMA Java. There are a few things to note in this regards.

1. The production and test endpoint URL's have changed. Please refer Contribution Channel technical documents to get the new endpoints. Also subscribe to PCN's to get future notifications.

Igor.Piddubnyi

Hi @Gurpreet, let me step in from the technical side and comment to the question.

2. The certificate has to be imported into the keystore file once - first time only. For successful runs, the same keystore file will suffice.

We are using Contributions Channel over EMA Java for several years already with the keystore, like described in the guide.

However now we already couple times faced connection interruptions when current certificate expires and getting updated on your servers.

E.g. current certificate has expiration date in Aug 2021. And most likely will be replaced several weeks before this dates.

For our software this will cause unpredicted service interruption, until we recognize the problem and manually update the certificate in the keystore.

Therefor we would like to get deeper technical details about EMA Java library, which are not covered in the public documentation.

Maybe there is a way to configure the library to automatically accept the new certificate, when it is updated on the server? E.g. using custom TrustManager.