However without bypassing the cert validation I see the following when posting:
caused by: sun.security.validator.validatorexception: pkix path building failed: sun.security.provider.certpath.suncertpathbuilderexception: unable to find valid certification path to requested target
As far as I have read, I need to get the cert from the endpoint and place it on the machine running Ignition. In which directory should that be placed?
@Kevin.Herron following that instruction to place in supplemental certs I have placed the root certificate of the target endpoint (Kafka Lenses) into the folder as follows and restarted the service.
No, that should be it for Ignition 8.x. What scope are you testing your scripting call in? Adding it to the supplemental cert folder only brings it in for the gateway scope.
Right now I’m working in the script console to get it up to the point where I can get a response and learn how to parse through it. The end game will be on a gateway script timer or in a UDT.
This machine runs 8.1.13. Sorry if this is duplicate but its related to web sockets. What we are trying to do is have a way to get a filtered response from Kafka since the topic itself is terabyte size. The Lense SQL api allows this and I have it working in the google web socket tested.
Just working through the mechanics of making it work in the ignition environment.
Make a gateway message handler that delegates to a script module. In the designer script console, use system.util.sendRequest() to trigger your code and receive the result. The actual request to Kafka will then come from the gateway as you intend in the future, and will use its certificate store.
@PGriffith I have a different case now that does require the use of mutual TLS. As I read above the system.net.httpClient native to Ignition cannot do mTLS, is that correct?
My eventual target is in Java but for testing it is often convenient to get things working from the python script console first.
Yeah, that is what I am seeing. Anyways, once I do get it figured out in Java, I'll post it back up here so the next person that comes along can use it for reference.
Here the SSL cert auto-renewal API that we are starting to work with requires mTLS.
And to make the entire handshake work, it was also necessary to add the server cert to the JVM cacert store with the advice listed here. You can download the server cert directly from the browser, we downloaded in PKCS7 format.