Collaboration Plug-in setup to use Windows Certificate Store

Started by Manj75, April 04, 2019, 10:37:46 AM

Previous topic - Next topic

Manj75

I'm in the process of setting up Archi and Collaboration plug-in for use by the Architects on the single model.  I've created an empty GIT repository in Microsoft TFS.  The issue I'm facing is that I think access to the on-premise TFS GIT repo is secure and needs access to the organisation certificate that is held in the Windows Certificate Store.  the error I'm seeing in Archi is:

There was an error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I think that by default Archi tool is using the JVM setup keystore.  Is there any way to configure to use the Window Cert Store?

I've separately installed GID for Windows and in the setup it is possible to specify the 'Use the native Windows Secure Channel library', which uses the Windows Certificate Stores.  It further sets up the use of the Windows Credential Manager to use AD accounts, but this the issue.

Can you also confirm that Archi Collaboration Plugin has GIT functionality in-built such that an underlying GIT for Windows is not required?  This does seem to be the case just need confirmation.

Help/Guidance is greatly appreciated.

Phil Beauvoir

> Can you also confirm that Archi Collaboration Plugin has GIT functionality in-built such that an underlying GIT for Windows is not required?  This does seem to be the case just need confirmation.

Yes. It uses a JGit library. It doesn't need another git installed.

> Help/Guidance is greatly appreciated.

I can't help on this as I don't use MS TFS. My only recourse would be to Google the error message.
If you value and use Archi, please consider making a donation!
Ask your ArchiMate related questions to the ArchiMate Community's Discussion Board.

Jean-Baptiste Sarrodie

Hi,

In this context you have to add the certificate to the JVM's store. You can find details inside the archi's wiki page (on github) that describes the steps needed to create a fully portable version.

I'm not aware of any solution to use windows store.

Regards

JB
If you value and use Archi, please consider making a donation!
Ask your ArchiMate related questions to the ArchiMate Community's Discussion Board.

Manj75

After much research and trialing I have managed to resolve the problem myself and thought I'd update my post to share.  Personally, this should be added to the instructions for the collaboration plug-in.

Setup


  • Microsoft TFS GIT repository created
  • User credentials as setup in Active Directory

Archi Collaboration linking to the repo resulted in an error locating a certificate path, which was because it was using the default list of security providers as defined in the Archi4\jre\lib\security\java.security file.  Note that in this file SunMSCAPI is specified but that does not work.

Resolution

Specify the following 2 java properties;


  • -Djavax.net.ssl.trustStore=NUL
  • -Djavax.net.ssl.trustStoreType=WINDOWS-ROOT

These should not be passed as arguments to the Archi shortcut as this will not work.  The shortcut calls Program Files\Archi4\Archi.exe which is an executable launcher wrapper to Java.  The Java parameters that get passed are listed in Archi.ini file, so add the above two properties to the ini file.  Note, they are both required for it to work.

Start Archi and it will now connect to the repository through HTTPS.

However, I hit another problem regarding user credential authentication with the error occurring on publishing to the Git repo stating: <repo url>: authentication not supported.  This seems to be an issue with JGit - I'll create a new post for this one, but if you know the resolution please post here.

Thanks, Phil and Jean for trying to help.

Phil Beauvoir

Thanks for research (I know about "much research and trialing"  ;-))

Do you think you could create an issues for this and your other problem on GitHub?

https://github.com/archimatetool/archi-modelrepository-plugin/issues
If you value and use Archi, please consider making a donation!
Ask your ArchiMate related questions to the ArchiMate Community's Discussion Board.

Phil Beauvoir

> Personally, this should be added to the instructions for the collaboration plug-in.

Because this stuff is open source and there's only me and JB working on it, we obviously can't support and investigate all use cases and configurations. Ideally, and what I hope for, is that users help themselves and others (as you have :-) ) by documenting these things on the wiki. This plug-in is still "under construction" :-)

Thanks!
If you value and use Archi, please consider making a donation!
Ask your ArchiMate related questions to the ArchiMate Community's Discussion Board.