For a deeper look into our Elektron API, look into:

Overview |  Quickstart |  Documentation |  Downloads |  Tutorials |  Articles

question

Upvotes
Accepted
1 0 1 1

How can the update of ssl certificates be automated ?

Using Elektron SDK Java we can download and update the certificates manually using function

openssl s_client -connect chp02-emea1.thomsonreuters.com:443
openssl s_client -connect chp02-emea2.thomsonreuters.com:443


We would need to understand how we can automate this or why your client library doesn’t validate the certificate automatically.

What is the best practice? Or does your library have an option to disable certificate validation completely?

elektronrefinitiv-realtimeelektron-sdkssl
icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

This incident was finally resolved however the problem itself was nor resolved as the software after implementting your recommendation was not connecting.

Reported log attached

Connection only after roll back to previosu version.Error log.txt

Please pick up and provide a solution which will prevent the problem when certificate expires again.

Kind regards Hilke

error-log.txt (9.3 KiB)

Hello @hilke.prillwitz, You are getting the 'Login stream was closed.' message, which implies that the connection was successful and that it is not a certificate issue anymore.

I would recommend that you request premium support to get someone from professional services to help you with the code. They would like to see this error replicated with the java contributions example.

Upvotes
Accepted
17.2k 47 13 19

Hi @hilke.prillwitz, seems like you are connecting to Refinitiv Contributions Channel using EMA Java. There are a few things to note in this regards.

1. The production and test endpoint URL's have changed. Please refer Contribution Channel technical documents to get the new endpoints. Also subscribe to PCN's to get future notifications.

2. The certificate has to be imported into the keystore file once - first time only. For successful runs, the same keystore file will suffice. The server certificate is not changing on daily or weekly basis. Please see this article on how to build a keystore file for Java and this tutorial on Posting data to Contributions Channel on how to manually import RCC certificate into the keystore file (required for old version of Java only).

3. There is no option to drop to a less secure connection. You might be able to disable certificate validation, but that is a Java thing. Not something that EMA API does. You can view the EMA API source code on the github.

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Hi @Gurpreet, let me step in from the technical side and comment to the question.


2. The certificate has to be imported into the keystore file once - first time only. For successful runs, the same keystore file will suffice.


We are using Contributions Channel over EMA Java for several years already with the keystore, like described in the guide.

However now we already couple times faced connection interruptions when current certificate expires and getting updated on your servers.

E.g. current certificate has expiration date in Aug 2021. And most likely will be replaced several weeks before this dates.

For our software this will cause unpredicted service interruption, until we recognize the problem and manually update the certificate in the keystore.


Therefor we would like to get deeper technical details about EMA Java library, which are not covered in the public documentation.

Maybe there is a way to configure the library to automatically accept the new certificate, when it is updated on the server? E.g. using custom TrustManager.

Upvotes
1 0 0 0

Hi @Gurpreet, let me step in from the technical side and comment to the question.


2. The certificate has to be imported into the keystore file once - first time only. For successful runs, the same keystore file will suffice.


We are using Contributions Channel over EMA Java for several years already with the keystore, like described in the guide.

However now we already couple times faced connection interruptions when current certificate expires and getting updated on your servers.

E.g. current certificate has expiration date in Aug 2021. And most likely will be replaced several weeks before this dates.

For our software this will cause unpredicted service interruption, until we recognize the problem and manually update the certificate in the keystore.


Therefor we would like to get deeper technical details about EMA Java library, which are not covered in the public documentation.

Maybe there is a way to configure the library to automatically accept the new certificate, when it is updated on the server? E.g. using custom TrustManager.

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Hi @Igor.Piddubnyi,

Firstly let me clarify, that creation of keystore file and importing the certificate has nothing to do with EMA API. These are artifacts of how Java implements network encryption.

Secondly, latest version of Java SDK, have COMODO RSA Organization Validation Secure Server CA pre-added to the trust store. So the user does not need to perform this additional action. This step is required only for the older version of Java SDK, which does not trust the Comodo certificate signing authority.

And finally, server certificates are long lived - for 15 years. Once the Comodo certificate is added to the keystore file, this certificate is valid until year 2029. The Refinitiv certificate which will expire every two years, is not needed to be imported into the keystore file. Once expired and renewed, the new certificate will automatically be accepted by your Java runtime, because it trusts the signing server certificate.

For deeper technical details about EMA API, please view the source code in the github. You can also raise an issue or enhancement request there.

keytool -v -list -keystore KeyStore.jks

Owner: CN=COMODO RSA Organization Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB

Issuer: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB

Serial number: 36825e7fb5a481937ef6d1736bb93ca6

Valid from: Tue Feb 11 19:00:00 EST 2014 until: Sun Feb 11 18:59:59 EST 2029


Upvotes
1 0 0 0

Hi @Gurpreet, thanks for your time and explanation.

We tried to follow your advices in our software and

  • Updated Java to the latest available version: java version "1.8.0_261" Java(TM) SE Runtime Environment (build 1.8.0_261-b12)
  • Verified COMODO RSA Certification Authority is in the root Java cacerts
  • Removed additional Java keystore configuration from OmmConsumerConfig initialization

Unfortunately after those changes our application was failing to start with following exception

Exception Type='OmmInvalidUsageException', Text='Keystore file is missing for connectionType of encryption'

This shows that the following statements from your previous comment are incorrect:

	creation of keystore file and importing the certificate has nothing to do with EMA API
So the user does not need to perform this additional action. This step is required only for the older version of Java SDK

I'm adding also code snippet, showing how we initialize EMA API and respective EmaConfig.xml

 OmmConsumerConfig ommConsumerConfig = EmaFactory.createOmmConsumerConfig("EmaConfig.xml");
            // Following lines were commented upon your suggestion
            //.tunnelingKeyStoreFile("thomsonreuters.jks")
            //.tunnelingKeyStorePasswd("****");
        ommConsumer = EmaFactory.createOmmConsumer(ommConsumerConfig);
        deviceLoginHandle = ommConsumer.registerClient(EmaFactory.createReqMsg().domainType(EmaRdm.MMT_LOGIN), this, ommConsumer);
<?xml version="1.0" encoding="UTF-8"?>
<EmaConfig>
    <ConsumerGroup>
        <DefaultConsumer value="Consumer_1"/>
        <ConsumerList>
            <Consumer>
                <Name value="Consumer_1"/>
                <Channel value="Channel_1"/>
                <Dictionary value="Dictionary_2"/>
                <XmlTraceToStdout value="0"/>
            </Consumer>
        </ConsumerList>
    </ConsumerGroup>

    <ChannelGroup>
        <ChannelList>
            <Channel>
                <Name value="Channel_1"/>
                <ChannelType value="ChannelType::RSSL_ENCRYPTED"/>
                <CompressionType value="CompressionType::None"/>
                <GuaranteedOutputBuffers value="5000"/>
                <ConnectionPingTimeout value="30000"/>
                <TcpNodelay value="1"/>
                <Host value="contrib1-emea1.uat.platform.refinitiv.com"/>
                <Port value="443"/>
            </Channel>
        </ChannelList>
    </ChannelGroup>

    <DictionaryGroup>
        <DictionaryList>
            <Dictionary>
                <Name value="Dictionary_1"/>
                <DictionaryType value="DictionaryType::ChannelDictionary"/>
            </Dictionary>
        </DictionaryList>
    </DictionaryGroup>

</EmaConfig>

After this experiments we still have the same open questions:

  • What is the right way to configure EMA API for data contribution, so that we don't have to update our keystore every time the certificate get's updated on your side?
  • Is it possible to do with ChannelType::RSSL_ENCRYPTED, since we transfer the data over public Internet?
  • We currently "steal" the certificate from your servers like shown below and add it to our keystore. Is this the only way to work with ChannelType::RSSL_ENCRYPTED?

    echo | openssl s_client -servername chp02-emea1.thomsonreuters.com -connect chp02-emea1.thomsonreuters.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > certificate.crt
icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Hi Igor, you cannot cherry pick and quote a part of my statement. I said:

Firstly let me clarify, that creation of keystore file and importing the certificate has nothing to do with EMA API. These are artifacts of how Java implements network encryption.

Since EMA and RCC implement contributions on an SSL encrypted channel, a keystore file is required by Java!

The step that is not required is --> importing of the COMODO RSA Organization Validation Secure Server CA into your local keystore file.


What is the right way to configure EMA API for data contribution, so that we don't have to update our keystore every time the certificate get's updated on your side?

The changes in the Refinitiv server certificate will not affect your keystore file, as long as your Java instance recognizes that it has been signed by the CA authority which it trusts.


I would recommend that you contact your Refinitv account manager for a meeting with one of the developers advocate to clarify your doubts.