Alteryx Connect Knowledge Base

Definitive answers from Connect experts.
It's the most wonderful time of the year - Santalytics 2020 is here! This year, Santa's workshop needs the help of the Alteryx Community to help get back on track, so head over to the Group Hub for all the info to get started!

How To: Add Web Connection Certificate to Alteryx Connect Keystore

Alteryx
Alteryx
Created

How To: Add Web Connection Certificate to Alteryx Connect Keystore

 

This article is intended to instruct on the operation of adding a certificate to Alteryx Connect's Java Keystore (cacerts). This process is useful if you need to add a certificate for a direct SSL-based web connection from the Alteryx Connect service, e.g. to retrieve a metadata XML file from an internal SAML provider with a self-signed or internally signed SSL/HTTPS certificate that may not be trusted by a globally trusted CA or similar. This process is not intended to resolve SSL connection issues with Metadata Loader processes. Typically, this process would only be necessary when attempting to configure SAML-based authentication with an on-premises SAML identity provider.

An error message also may be displayed that may require you insert a certificate to this store, similar to the following:

org.opensaml.saml2.metadata.provider.MetadataProviderException: org.opensaml.saml2.metadata.provider.MetadataProviderException: Error retrieving metadata from {metadataURL}.xml
...(trimmed)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...(trimmed)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...(trimmed)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 

 

Prerequisites

 

  • Alteryx Connect >= 2018.1
  • Remote Desktop (RDP) or other direct access to the Alteryx Connect machine
  • Windows Administrator account on the Alteryx Connect machine
  • Certificate (.cer) or other X509 certificate file available to import
    • This certificate should ideally be the Certificate Authority (CA)'s root signing certificate, but can also be the certificate used for the remote machine itself
    • If you are not sure where to obtain this certificate, reach out to an administrator or support group for the CA, or your IT team for assistance

 

Procedure

 

  1. Verify that the certificate file is available on the Alteryx Connect machine's local file system
  2. Open a Command Prompt (cmd.exe) as Administrator on the Alteryx Connect machine's desktop
  3. Change directory to the Java bin directory of your Alteryx Connect installation. Replace {InstallDir} in the command below with the root path of your Alteryx Connect installation.
  4. Press Enter

    Command Line:
    cd "{InstallDir}\jre\bin"

    Example:
    cd "C:\Program Files\AlteryxConnect\jre\bin"



  5. The keytool.exe utility will need to be used in order to insert the certificate. Replace {file} in the command below with the full path to the certificate file being used. Replace {InstallDir} with the root path of your Alteryx Connect installation. Replace {alias} with a desired identifier for the certificate you are inserting.

    Command Line:
    keytool.exe -importcert -file "{cert}" -keystore "{InstallDir}\jre\lib\security\cacerts" -alias "{alias}" -storepass changeit

    Example:
    keytool.exe -importcert -file "C:\Users\username\Desktop\CACert.cer" -keystore "C:\Program Files\AlteryxConnect\jre\lib\security\cacerts" -alias "ADFS_Web" -storepass changeit


  6. Press Enter
  7. Executing the command above should return information about the certificate and a prompt asking to trust the certificate. Make sure the information in the return matches the expected values, then type yes at the prompt.
  8. Press Enter
     


    image.png

  9. Verify you receive the return Certificate was added to keystore
    1. If you receive an error, review the error message and make any corrections necessary.
  10. Restart the Alteryx Connect service to apply the changes.

  

Additional Resources

 

  • {Note to self - Add resources to SAML setup article once completed}