Troubleshooting SSO Integration Issue with Dockerized DataHub and Truststore Mounting

Original Slack Thread

Hi team.
I have deployed the Docker version of the datahub, and I am testing the integration of SSO login normally. Currently, I have encountered an issue with pending here. Can someone help me for this issue please?

I am using Aauth2.0, and my configuration and error logs are as follows. I did not successfully redirect to the SSO page. i try to mount this jks file to images, after trying mount this jks, the service couldn’t start properly and kept restarting non-stop.
Can anyone give me some guidance?

Hey there! :wave: Make sure your message includes the following information if relevant, so we can help more effectively!

  1. Which DataHub version are you using? (e.g. 0.12.0)
  2. Please post any relevant error logs on the thread!

my datahub version is 0.11.5

I tested it again based on this document, but after configuring it, the datahub couldn’t start properly and kept restarting repeatedly. Can someone help me about this please?

can you retrieve logs from when the service kept restarting after you mounted your truststore? I assume this might point you to the issue

Hi <@U05F2CWUS5C>, good morning. this is the log, From the front of the log, I saw that the ANTLR Tool version does not match. How should I solve it? The password for this test certificate should be correct


the error indicates that the truststore could not be loaded / verified. I don’t have additional info there, but that seems to be a valid issue then. Can you validate the truststore somehow?
Alternatively you could the existing truststore from the docker image and only append your specific certificate to it, then re-mount that one into the container

I have already mounted my certificate to the image. Are you referring to this method?

you’re providing a full jks file, right? That’s normally a container of multiple certificates, not just one (as its a full truststore)

It appears that truststore/jks file is invalid, or has an invalid password specified (according to the logs)

My idea was to copy the original jks file from the container to your local machine, add the required certificates to that jks file, then mount the new, combined jks files to the container

Oh, may I ask where the original files in the datahub front-end read are located?
I can copy it out and then reassemble it for testing, covering the original jks in mount mode

Unfortunately I don’t know the answer to this from the top of my head.
I would assume something like /lib/security/cacerts - but would have to dig into the container myself

thanks Hendrik, I am commenting out the configuration of the SSO section to ensure it starts up properly. I will search for it in the image

When you disable the SSO, the container should start and you could ssh into it - then maybe follow a guide like ? Good luck!

Hi <@U05F2CWUS5C> , good morning.
I found the certificate location in the image, then copied it to the server and used the following command to merge my certificate with it, and then mounted it back into the directory of the image.
command ex: keytool -import -alias a.crt -keystore cacerts -file a.crt
However, there was an error in the screenshot. I tried to search the history but couldn’t find the corresponding solution. I also attached a screenshot of the yml file. Can you give me some guidance? Actually, I couldn’t find any more solutions

Hey :slightly_smiling_face:
I’m no expert with truststores, but that feels like the certificate you have has a “wrong” encryption algorithm provided. Whatever that means :disappointed:
For our setup, we received a full cacerts file from our infra team and I mounted that as a truststore. That was all that was needed to make it work.

HI Hendrik, thanks, I also think so, I will conduct further testing