Check for a valid SSL certificate or proxy filter setting error message in Jitterbit Design Studio

Overview

This error message occurs while trying to log in to Jitterbit Studio or Jitterbit Cloud Data Loader. Follow the steps below to troubleshoot what is causing the error to occur and to resolve the error.

Step 1: Verify you can log into the Management Console with the same desktop machine

Verify that you can log into the Jitterbit Management Console from the same desktop machine that the Jitterbit Studio Is running on.

Step 2: Verify Jitterbit Studio is using the Java version installed with the product

Jitterbit Studio and Jitterbit Cloud Data Loader should be running on the Java version that is installed with the product.

• Open <Jitterbit Studio Home>\configuration\client.properties in a text editor.

• Search for "JRE_HOME" in the file for instructions

• Verify the client.properties file has not been modified to point to a different Java version.

Step 3: Verify IP allowlist

Verify if your browser is using a proxy server (such as Websense), a web filter (such as zScaler), a SSL inspection service on outgoing connections (such as Websense or zScaler) or a VPN (such as Pulse Secure) and make sure the correct Jitterbit sites are included in the IP allowlist.

• You may have to contact your Network Administrator or the third-party vendor that set up your Internet access to verify what browser services are being used.
• The following addresses will need to be included in the IP allowlist for these services: *jitterbit.com, *jitterbit.eu and *jitterbit.net.
• If the proxy server, web filter, packet inspection service or VPN also use a trusted root CA certificate, please follow the steps below to add the certificate to the Jitterbit Java KeyStore.

Step 4: Verify SSL certificate is not located in the Jitterbit Java KeyStore

The error frequently occurs when a signed SSL or CA xxxxxxx.cer certificate is not located in the Jitterbit Java KeyStore. The error will also occur if a SSL inspection service, web filter, proxy server, or VPN changes which certificate is used and the certificate is not located in the Jitterbit Java KeyStore.

• You need to identify which certificates are being used and install each of them into the \jre\lib\security folder that Jitterbit included in the product installation.
• A process must be developed to install the certificate in the \jre\lib\security folder that Jitterbit ships with the product each time you upgrade or re-install Jitterbit.
• Each time you change the certificate(s) that are used, it will be necessary to get the certificate(s) from your Network Administrator or the third-party vendor and install them in the \jre\lib\security folder that Jitterbit ships with the product..

How to get the list of security certificates

• Run this command from within the Java\jre\lib\security folder: > keytool -list -v -keystore cacerts
• Verify the certificates are all located in <Jitterbit Studio>\jre\lib\security\.
• To add certificates that are not located in <Jitterbit Studio>\jre\lib\security\, follow the steps below.

How to add a new certificate to the Jitterbit Studio keystore

Command using Java keytool

The Java Keytool Command is:

> <Jitterbit Studio Home>\jre\bin\keytool -importcert -trustcacerts -alias <alias> -file <certfile> -keystore "<Jitterbit agent Home>\jre\lib\security\cacerts"

> cd C:\Program Files (x86)\Jitterbit Cloud Data Loader\jre\bin
> C:\Program Files (x86)\Jitterbit Cloud Data Loader\jre\bin\keytool -importcert -trustcacerts -alias Websense -file C:\temp\cacerts\xxxxx.cer -keystore "C:\Program Files (x86)\Jitterbit Cloud Data Loader\jre\lib\security\cacerts"

Additional KeyTool command resources:

• Adding certificates to keystore for private agents
• https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
• https://azure.microsoft.com/en-us/documentation/articles/java-add-certificate-ca-store/

Instructions for using portecle

1. Download and install Portecle.

2. First, be certain which JRE or JDK is being used to run your program. On a 64-bit Windows 7, there can be quite a few JREs. Process Explorer can help you with this, or you can use this Jitterbit script command:

   System.out.println(System.getProperty("java.home"));
   

3. Copy the file JAVA_HOME\lib\security\cacerts to another folder.

4. In Portecle, click File > Open Keystore File

5. Select the cacerts file.

6. Enter this password: changeit

7. Click Tools > Import Trusted Certificate

8. Browse for the file mycertificate.pem

9. Click Import

10. Click OK when the trust path warning displays.

11. Click OK when the details about the certificate display.

12. Click Yes to accept the certificate as trusted.

13. When it asks for an alias, click OK.

14. Click OK when message indicating it has imported the certificate displays.

15. Click Save. Don't forget to do this or the change will be discarded.

16. Copy the file cacerts back to its original location (JAVA_HOME\lib\security\cacerts).

Turn on SSL debug logging to determine which certificate is not being accepted

1. Turning on logging will show what is causing the error. It will show which certificate is not being accepted. The certificate will need to be added to the Jitterbit Java KeyStore by following the steps above.

2. Open <Jitterbit Studio Home>\configuration\client.properties in a text editor

3. Make a note of the current value of the STARTUP_ARGUMENTS property

4. Change the STARTUP_ARGUMENTS property to:

   STARTUP_ARGUMENTS='-Djavax.net.debug=ssl:handshake -Xms512m -Xmx1024m -Djava.util.Arrays.useLegacyMergeSort=true'
   

5. Save the file

6. Launch Jitterbit Studio and attempt to log in

7. Once the error displays, dismiss the error dialog

8. Go to the folder C:\Users\[windows username]\JitterbitStudio\

9. Zip up the logs sub-folder

10. Create a support case and attach the zip file to the support case

11. Reset the startup argument property back to its original value to turn off logging