How to configure AWS Glue to trust custom SSL certificate for SAP OData connection?
Code I’m running:
sap_data = glueContext.create_dynamic_frame.from_options(
connection_type="sapodata",
connection_options={
"ENABLE_CDC": "false",
"connectionName": "sapodata-connection",
"SELECTED_FIELDS": "MANDT,MATNR,VKORG,VTWEG,VMSTA,VMSTD,PRODH,MVGR1,MVGR2,MVGR3,MVGR4,MVGR5,ERDAT,AEDAT,DLTDT",
"ENTITY_NAME": "/sap/opu/odata/sap/ZBI_WAREHOUSE_SRV/MVKESet",
"FILTER_PREDICATE": f"{field_name_delta_1} >= '{delta_date}'",
"JdbcEnforceSsl": "true",
"CustomJdbcCert": f"s3://{s3_bucket}/cert/{cert}"
},
transformation_ctx="sap_data"
)
Error message:
An error occurred while calling o106.getSource.
Glue connector returned client exception. Please retry after some time,
request failed with HTTP IO exception with the following message:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
What I’ve tried / observed:
- The connection **sapodata-connection works fine when I run "Test Connection" in AWS Glue console.
- But when I run the Glue job with the code above, it fails with the SSL certificate error.
- I already set these options:
"JdbcEnforceSsl": "true"
"CustomJdbcCert": "s3://{bucket}/cert/{cert}"
Question: Why does the Glue job fail with PKIX path building failed even though the test connection is successful? Do I need extra configuration to make Glue recognize and trust the custom SSL certificate from SAP OData?
- Language
- English
asked 10 months ago522 views
- Newest
- Most votes
- Most comments
The issue you're experiencing with the PKIX path building failure is related to how AWS Glue handles SSL certificates during job execution versus during connection testing.
When you test the connection in the AWS Glue console, the connection test might be using a different certificate validation mechanism than what's used during actual job execution. This explains why the test succeeds but the job fails.
For SAP OData connections in AWS Glue, there are a few things to check:
-
Certificate format: Ensure your certificate is in the correct format. AWS Glue requires certificates to be DER-encoded and supplied in base64 encoding PEM format.
-
Certificate path: Verify that the S3 path to your certificate is correct and that the Glue job's IAM role has permissions to access this S3 location.
-
Connection properties: For SAP OData connections, the SSL certificate configuration might need to be specified differently than what you're currently using. The "CustomJdbcCert" parameter might not be applicable for SAP OData connections as it's typically used for JDBC connections.
Instead of using "JdbcEnforceSsl" and "CustomJdbcCert" parameters which are more appropriate for JDBC connections, you might need to include the certificate information in the AWS Secrets Manager secret that's associated with your SAP OData connection.
Try creating a secret in AWS Secrets Manager that includes not only your authentication credentials but also references to your SSL certificates. Then associate this secret with your SAP OData connection.
Also, ensure that your SAP OData connection is properly configured with the correct VPC, subnet, and security group settings to allow network connectivity to your SAP system.
Sources
Glue SSL trusted CA | AWS re:Post
AWS Glue JDBC PostgreSQL connection with mutual TLS | AWS re:Post
Create connections - AWS Glue
Scaling RISE with SAP data and AWS Glue | AWS Big Data Blog
answered 10 months ago
can you give me example, AWS Secrets Manager that includes SSL certificates ? so for this we cannot use "JdbcEnforceSsl" and "CustomJdbcCert" right? so you have any options?
answered 10 months ago
Relevant content
asked 10 months ago
