Using Elektron SDK Java we can download and update the certificates manually using function
We would need to understand how we can automate this or why your client library doesn’t validate the certificate automatically.
What is the best practice? Or does your library have an option to disable certificate validation completely?
Hi @hilke.prillwitz, seems like you are connecting to Refinitiv Contributions Channel using EMA Java. There are a few things to note in this regards.
1. The production and test endpoint URL's have changed. Please refer Contribution Channel technical documents to get the new endpoints. Also subscribe to PCN's to get future notifications.
2. The certificate has to be imported into the keystore file once - first time only. For successful runs, the same keystore file will suffice. The server certificate is not changing on daily or weekly basis. Please see this article on how to build a keystore file for Java and this tutorial on Posting data to Contributions Channel on how to manually import RCC certificate into the keystore file (required for old version of Java only).
3. There is no option to drop to a less secure connection. You might be able to disable certificate validation, but that is a Java thing. Not something that EMA API does. You can view the EMA API source code on the github.
Hi @Gurpreet, let me step in from the technical side and comment to the question.
2. The certificate has to be imported into the keystore file once - first time only. For successful runs, the same keystore file will suffice.
We are using Contributions Channel over EMA Java for several years already with the keystore, like described in the guide.
However now we already couple times faced connection interruptions when current certificate expires and getting updated on your servers.
E.g. current certificate has expiration date in Aug 2021. And most likely will be replaced several weeks before this dates.
For our software this will cause unpredicted service interruption, until we recognize the problem and manually update the certificate in the keystore.
Therefor we would like to get deeper technical details about EMA Java library, which are not covered in the public documentation.
Maybe there is a way to configure the library to automatically accept the new certificate, when it is updated on the server? E.g. using custom TrustManager.
Hi @Gurpreet, thanks for your time and explanation.
We tried to follow your advices in our software and
java version "1.8.0_261" Java(TM) SE Runtime Environment (build 1.8.0_261-b12)
Unfortunately after those changes our application was failing to start with following exception
Exception Type='OmmInvalidUsageException', Text='Keystore file is missing for connectionType of encryption'
This shows that the following statements from your previous comment are incorrect:
creation of keystore file and importing the certificate has nothing to do with EMA API
So the user does not need to perform this additional action. This step is required only for the older version of Java SDK
I'm adding also code snippet, showing how we initialize EMA API and respective EmaConfig.xml
OmmConsumerConfig ommConsumerConfig = EmaFactory.createOmmConsumerConfig("EmaConfig.xml"); // Following lines were commented upon your suggestion //.tunnelingKeyStoreFile("thomsonreuters.jks") //.tunnelingKeyStorePasswd("****"); ommConsumer = EmaFactory.createOmmConsumer(ommConsumerConfig); deviceLoginHandle = ommConsumer.registerClient(EmaFactory.createReqMsg().domainType(EmaRdm.MMT_LOGIN), this, ommConsumer);
<?xml version="1.0" encoding="UTF-8"?> <EmaConfig> <ConsumerGroup> <DefaultConsumer value="Consumer_1"/> <ConsumerList> <Consumer> <Name value="Consumer_1"/> <Channel value="Channel_1"/> <Dictionary value="Dictionary_2"/> <XmlTraceToStdout value="0"/> </Consumer> </ConsumerList> </ConsumerGroup> <ChannelGroup> <ChannelList> <Channel> <Name value="Channel_1"/> <ChannelType value="ChannelType::RSSL_ENCRYPTED"/> <CompressionType value="CompressionType::None"/> <GuaranteedOutputBuffers value="5000"/> <ConnectionPingTimeout value="30000"/> <TcpNodelay value="1"/> <Host value="contrib1-emea1.uat.platform.refinitiv.com"/> <Port value="443"/> </Channel> </ChannelList> </ChannelGroup> <DictionaryGroup> <DictionaryList> <Dictionary> <Name value="Dictionary_1"/> <DictionaryType value="DictionaryType::ChannelDictionary"/> </Dictionary> </DictionaryList> </DictionaryGroup> </EmaConfig>
After this experiments we still have the same open questions:
We currently "steal" the certificate from your servers like shown below and add it to our keystore. Is this the only way to work with ChannelType::RSSL_ENCRYPTED?
echo | openssl s_client -servername chp02-emea1.thomsonreuters.com -connect chp02-emea1.thomsonreuters.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > certificate.crt