For a deeper look into our Elektron API, look into:
Overview | Quickstart | Documentation | Downloads | Tutorials | Articles
Using Elektron SDK Java we can download and update the certificates manually using function
openssl s_client -connect chp02-emea1.thomsonreuters.com:443
openssl s_client -connect chp02-emea2.thomsonreuters.com:443
We would need to understand how we can automate this or why your client library doesn’t validate the certificate automatically.
What is the best practice? Or does your library have an option to disable certificate validation completely?
Sure, I explained the answer provided below to client on the call and was able to convey the messsage.
This incident was finally resolved however the problem itself was nor resolved as the software after implementting your recommendation was not connecting.
Reported log attached
Connection only after roll back to previosu version.Error log.txt
Please pick up and provide a solution which will prevent the problem when certificate expires again.
Kind regards Hilke
Hello @hilke.prillwitz, You are getting the 'Login stream was closed.' message, which implies that the connection was successful and that it is not a certificate issue anymore.
I would recommend that you request premium support to get someone from professional services to help you with the code. They would like to see this error replicated with the java contributions example.
Hi @hilke.prillwitz, seems like you are connecting to Refinitiv Contributions Channel using EMA Java. There are a few things to note in this regards.
1. The production and test endpoint URL's have changed. Please refer Contribution Channel technical documents to get the new endpoints. Also subscribe to PCN's to get future notifications.
2. The certificate has to be imported into the keystore file once - first time only. For successful runs, the same keystore file will suffice. The server certificate is not changing on daily or weekly basis. Please see this article on how to build a keystore file for Java and this tutorial on Posting data to Contributions Channel on how to manually import RCC certificate into the keystore file (required for old version of Java only).
3. There is no option to drop to a less secure connection. You might be able to disable certificate validation, but that is a Java thing. Not something that EMA API does. You can view the EMA API source code on the github.
Hi @Gurpreet, let me step in from the technical side and comment to the question.
2. The certificate has to be imported into the keystore file once - first time only. For successful runs, the same keystore file will suffice.
We are using Contributions Channel over EMA Java for several years already with the keystore, like described in the guide.
However now we already couple times faced connection interruptions when current certificate expires and getting updated on your servers.
E.g. current certificate has expiration date in Aug 2021. And most likely will be replaced several weeks before this dates.
For our software this will cause unpredicted service interruption, until we recognize the problem and manually update the certificate in the keystore.
Therefor we would like to get deeper technical details about EMA Java library, which are not covered in the public documentation.
Maybe there is a way to configure the library to automatically accept the new certificate, when it is updated on the server? E.g. using custom TrustManager.
Hi @Gurpreet, let me step in from the technical side and comment to the question.
2. The certificate has to be imported into the keystore file once - first time only. For successful runs, the same keystore file will suffice.
We are using Contributions Channel over EMA Java for several years already with the keystore, like described in the guide.
However now we already couple times faced connection interruptions when current certificate expires and getting updated on your servers.
E.g. current certificate has expiration date in Aug 2021. And most likely will be replaced several weeks before this dates.
For our software this will cause unpredicted service interruption, until we recognize the problem and manually update the certificate in the keystore.
Therefor we would like to get deeper technical details about EMA Java library, which are not covered in the public documentation.
Maybe there is a way to configure the library to automatically accept the new certificate, when it is updated on the server? E.g. using custom TrustManager.
Firstly let me clarify, that creation of keystore file and importing the certificate has nothing to do with EMA API. These are artifacts of how Java implements network encryption.
Secondly, latest version of Java SDK, have COMODO RSA Organization Validation Secure Server CA pre-added to the trust store. So the user does not need to perform this additional action. This step is required only for the older version of Java SDK, which does not trust the Comodo certificate signing authority.
And finally, server certificates are long lived - for 15 years. Once the Comodo certificate is added to the keystore file, this certificate is valid until year 2029. The Refinitiv certificate which will expire every two years, is not needed to be imported into the keystore file. Once expired and renewed, the new certificate will automatically be accepted by your Java runtime, because it trusts the signing server certificate.
For deeper technical details about EMA API, please view the source code in the github. You can also raise an issue or enhancement request there.
keytool -v -list -keystore KeyStore.jks Owner: CN=COMODO RSA Organization Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB Issuer: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB Serial number: 36825e7fb5a481937ef6d1736bb93ca6 Valid from: Tue Feb 11 19:00:00 EST 2014 until: Sun Feb 11 18:59:59 EST 2029
Hi @Gurpreet, thanks for your time and explanation.
We tried to follow your advices in our software and
java version "1.8.0_261" Java(TM) SE Runtime Environment (build 1.8.0_261-b12) Unfortunately after those changes our application was failing to start with following exception
Exception Type='OmmInvalidUsageException', Text='Keystore file is missing for connectionType of encryption'
This shows that the following statements from your previous comment are incorrect:
creation of keystore file and importing the certificate has nothing to do with EMA API
So the user does not need to perform this additional action. This step is required only for the older version of Java SDK
I'm adding also code snippet, showing how we initialize EMA API and respective EmaConfig.xml
OmmConsumerConfig ommConsumerConfig = EmaFactory.createOmmConsumerConfig("EmaConfig.xml");
// Following lines were commented upon your suggestion
//.tunnelingKeyStoreFile("thomsonreuters.jks")
//.tunnelingKeyStorePasswd("****");
ommConsumer = EmaFactory.createOmmConsumer(ommConsumerConfig);
deviceLoginHandle = ommConsumer.registerClient(EmaFactory.createReqMsg().domainType(EmaRdm.MMT_LOGIN), this, ommConsumer);
<?xml version="1.0" encoding="UTF-8"?>
<EmaConfig>
<ConsumerGroup>
<DefaultConsumer value="Consumer_1"/>
<ConsumerList>
<Consumer>
<Name value="Consumer_1"/>
<Channel value="Channel_1"/>
<Dictionary value="Dictionary_2"/>
<XmlTraceToStdout value="0"/>
</Consumer>
</ConsumerList>
</ConsumerGroup>
<ChannelGroup>
<ChannelList>
<Channel>
<Name value="Channel_1"/>
<ChannelType value="ChannelType::RSSL_ENCRYPTED"/>
<CompressionType value="CompressionType::None"/>
<GuaranteedOutputBuffers value="5000"/>
<ConnectionPingTimeout value="30000"/>
<TcpNodelay value="1"/>
<Host value="contrib1-emea1.uat.platform.refinitiv.com"/>
<Port value="443"/>
</Channel>
</ChannelList>
</ChannelGroup>
<DictionaryGroup>
<DictionaryList>
<Dictionary>
<Name value="Dictionary_1"/>
<DictionaryType value="DictionaryType::ChannelDictionary"/>
</Dictionary>
</DictionaryList>
</DictionaryGroup>
</EmaConfig>
After this experiments we still have the same open questions:
We currently "steal" the certificate from your servers like shown below and add it to our keystore. Is this the only way to work with ChannelType::RSSL_ENCRYPTED?
echo | openssl s_client -servername chp02-emea1.thomsonreuters.com -connect chp02-emea1.thomsonreuters.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > certificate.crt
Hi Igor, you cannot cherry pick and quote a part of my statement. I said:
Firstly let me clarify, that creation of keystore file and importing the certificate has nothing to do with EMA API. These are artifacts of how Java implements network encryption.
Since EMA and RCC implement contributions on an SSL encrypted channel, a keystore file is required by Java!
The step that is not required is --> importing of the COMODO RSA Organization Validation Secure Server CA into your local keystore file.
What is the right way to configure EMA API for data contribution, so that we don't have to update our keystore every time the certificate get's updated on your side?
The changes in the Refinitiv server certificate will not affect your keystore file, as long as your Java instance recognizes that it has been signed by the CA authority which it trusts.
I would recommend that you contact your Refinitv account manager for a meeting with one of the developers advocate to clarify your doubts.
