Certificate Issues.

gdoyle · March 10, 2021, 7:07pm

I am a network security engineer at my company and my customer’s recently moved to a new VPN solution and on that new solution they are having issues running Knime Analytics Platform.

I can see their traffic in the firewall being allowed, but the sessions are ending due to certificate errors, most likely because client Knime application, or the destination end, is not configured to allow the certificate from my firewall as the traffic is being decrypted. This isn’t an uncommon issue and when we verify traffic safety we can bypass decryption on this traffic which will then allow the traffic to flow without issue.

My problem is that I cannot determine, nor can my customers define for me, the locations to which the Knime Analytics Platform is reaching out. I see different IP addresses that appear to be either hosted on AWS or Azure, but they change so frequently it is both unreasonable and unmanageable to update it in real time.

Is there a way to determine where the Knime applicatoin is reaching out to? Is there somewhere in the configuration I can look?

Also, is there somewhere on the client application I can go to see what certificate store it is using/permitting?

NDekay · August 9, 2021, 7:51pm

Hello,

We already resolved this, but I’m following up here on the forums just for public-facing information-share.

The issue is that adding an intermediary between the AP client on the network, and the KNIME update site remote, creates an interruption in the certificate chain. The solution is to add that intermediate firewall’s certificate into each AP client’s certificate store, so that it can forge a valid end-to-end certificate chain and be happy.

Use a browser to visit one of the update sites and get the root and intermediate certificates saved into .cer files.
Then build the commands to import each certificate one at a time:
keytool -import -trustcacerts -alias <ca-alias> -file <CA.crt> -keystore jre/lib/security/cacerts
The default password for the certstore (as show in [1]) is ‘changeit’.

AP should then able to connect to the update sites and see the lists of available extensions.

Regards,
Nickolaus

[1] KNIME Server Administration Guide

system · February 8, 2022, 7:51am

This topic was automatically closed 182 days after the last reply. New replies are no longer allowed.