Using JwtCreatorCallout to call Google Analytics ...

markruscitto · 02-15-2018 01:53 PM

Trying to configure the above callout on a private cloud install, We've uploded the jars and we are trying to configure a proxy to test it. We first tested the callout using the testdata and it generated a key which looked correct delimited by periods . So we then tred to configure our key and claims for the Google api. I'm invoking the test proxy by hitting it with a test params, my trace is returning this error:

com.google.common.util.concurrent.UncheckedExecutionException: java.lang.IllegalStateException: Didn't find OpenSSL key at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2203) at com.google.common.cache.LocalCache.get(LocalCache.java:3937) at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3941) at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4824) at com.apigee.callout.jwtsigned.JwtCreatorCallout.getRsaSigner(JwtCreatorCallout.java:140) at....

The callout config is here with altered values for the key and issuer:

<JavaCallout async="false" continueOnError="false" enabled="true" name="Java-Callout-2"> <DisplayName>Java Callout-2</DisplayName>

<Property name="private-key">-----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCF5wUP/6a0ZjmH 9YauIxsWphCwDvo28XbSdjpr7Zn2Wx2m2vemanhCaZhLbkwJLsNwKmi/wt44rFyr fwkNtDD74xd90JduJ2Y0ilRRgUwsmzIDaD1hs5DKkLnEnpy7YvGjnu0gfVKnhLvi bLfzGYtfn5QREIzX1NjYKGMSW4FleEiAXqBfg1+E4KT0d1uoC9xi8gNMt+yGLcZd jN5HboleGgxEckjyi3qXXCEW/jbuZh21RApkjbjaMtoDy8zfEhqiEQDDjAhoOzF+ xekO8kSyuYlWqy8hrOORePnK/WNR/+m3uxYCxwrEGiETCuq3wSgmrb8P256xuE2z -----END PRIVATE KEY-----</Property>

<Property name="iss">myblahblah-service-acc@test-ga-api-193616.iam.gserviceaccount.com</Property>

<Property name="aud">https://accounts.google.com/o/oauth2/token</Property>

<Property name="scope">https://www.googleapis.com/auth/analytics.readonly</Property> </Properties>

<ClassName>com.apigee.callout.jwtsigned.JwtCreatorCallout</ClassName> <ResourceURL>java://apigee-edge-callout-jwt-signed-1.0.14.jar</ResourceURL>

</JavaCallout>

DChiesa

I'm sorry. That is an unfortunately unhelpful error message.

Is it possible that the PEM for the private key you are using is corrupted?

Can you double-check the PEM? see if you can instantiate a key via openssl with it, or with a nodejs library (For example NodeRSA)? Doing this would confirm the PEM string is valid.

DChiesa

See also, the GenerateJWT policy here:

markruscitto

I double checked the pem using the cert and it matched. I added the kid which was missing, and get the same error. I did'nt find too many hits on this trace. I'll keep checking it I must have missed something.

DChiesa

how did you check the pem "using the cert"? I would like to verify that the PEM can be de-serialized into an RSA private key. That is what the Java library is trying to do. If you could prove that the PEM Can be deserialized using a different tool or library, then that would verify that the PEM is correct.

Adding the kid - I think that should not affect de-serializing the PEM.

markruscitto

Its not corrupt, it's in the PKCS12 format from Google. I need to convert it to the expected format.

markruscitto

My coworker changed the callout and got the key to work, I didnt see his source but he described it in this way:

The Apigee Java code does not work. Not sure how it worked for anyone using the signature processing logic. In the code it had an old / renamed method – for the generatePrivateKey() method. I restored that one and removed the new one. That fixed the problem.

markruscitto

Thanks for your time and help.

Using JwtCreatorCallout to call Google Analytics API