Trying to configure the above callout on a private cloud install, We've uploded the jars and we are trying to configure a proxy to test it. We first tested the callout using the testdata and it generated a key which looked correct delimited by periods . So we then tred to configure our key and claims for the Google api. I'm invoking the test proxy by hitting it with a test params, my trace is returning this error:
com.google.common.util.concurrent.UncheckedExecutionException: java.lang.IllegalStateException: Didn't find OpenSSL key at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2203) at com.google.common.cache.LocalCache.get(LocalCache.java:3937) at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3941) at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4824) at com.apigee.callout.jwtsigned.JwtCreatorCallout.getRsaSigner(JwtCreatorCallout.java:140) at....
The callout config is here with altered values for the key and issuer:
<JavaCallout async="false" continueOnError="false" enabled="true" name="Java-Callout-2"> <DisplayName>Java Callout-2</DisplayName>
<Properties>
<Property name="algorithm">RS256</Property>
<!-- private-key and private-key-password used only for algorithm = RS256 -->
<Property name="private-key">-----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCF5wUP/6a0ZjmH 9YauIxsWphCwDvo28XbSdjpr7Zn2Wx2m2vemanhCaZhLbkwJLsNwKmi/wt44rFyr fwkNtDD74xd90JduJ2Y0ilRRgUwsmzIDaD1hs5DKkLnEnpy7YvGjnu0gfVKnhLvi bLfzGYtfn5QREIzX1NjYKGMSW4FleEiAXqBfg1+E4KT0d1uoC9xi8gNMt+yGLcZd jN5HboleGgxEckjyi3qXXCEW/jbuZh21RApkjbjaMtoDy8zfEhqiEQDDjAhoOzF+ xekO8kSyuYlWqy8hrOORePnK/WNR/+m3uxYCxwrEGiETCuq3wSgmrb8P256xuE2z -----END PRIVATE KEY-----</Property>
<!-- standard claims -->
<Property name="iss">myblahblah-service-acc@test-ga-api-193616.iam.gserviceaccount.com</Property>
<Property name="aud">https://accounts.google.com/o/oauth2/token</Property>
<Property name="exp">1800</Property>
<!-- in seconds --> <!-- custom claims -->
<Property name="scope">https://www.googleapis.com/auth/analytics.readonly</Property> </Properties>
<ClassName>com.apigee.callout.jwtsigned.JwtCreatorCallout</ClassName> <ResourceURL>java://apigee-edge-callout-jwt-signed-1.0.14.jar</ResourceURL>
</JavaCallout>
I'm sorry. That is an unfortunately unhelpful error message.
Is it possible that the PEM for the private key you are using is corrupted?
Can you double-check the PEM? see if you can instantiate a key via openssl with it, or with a nodejs library (For example NodeRSA)? Doing this would confirm the PEM string is valid.
See also, the GenerateJWT policy here:
I double checked the pem using the cert and it matched. I added the kid which was missing, and get the same error. I did'nt find too many hits on this trace. I'll keep checking it I must have missed something.
how did you check the pem "using the cert"? I would like to verify that the PEM can be de-serialized into an RSA private key. That is what the Java library is trying to do. If you could prove that the PEM Can be deserialized using a different tool or library, then that would verify that the PEM is correct.
Adding the kid - I think that should not affect de-serializing the PEM.
Its not corrupt, it's in the PKCS12 format from Google. I need to convert it to the expected format.
My coworker changed the callout and got the key to work, I didnt see his source but he described it in this way:
Thanks for your time and help.