Sunday, October 2, 2016

Configure SSL Certificates in TIBCO BW HTTP Client and Server


     TIBCO Active Matrix Business Works can use Secure Sockets Layer (SSL) to provide secure communication. The successor of SSL is Transport Layer Security (TLS).

     Secure Socket Layer (SSL) is a protocol that uses public and private keys to secure communication between parties. When an SSL connection is requested, the initiator (or client) and responder (or server) perform a handshake where digital identities or certificates, are exchanged to ensure that both parties are who each party expects. SSL can also be used to specify an encryption algorithm for the data that is exchanged between the parties.

TIBCO ActiveMatrix BusinessWorks can act as an initiator or a responder in an SSL connection.

     To create the certificate you can use a command line utility called 'keytool' which is shipped with the java JDK and jre, below are list of the steps which are involved in configuring SSL at both HTTP client and server.

Server Side Configuration :

STEP -1 : creating Sever Certificate/keystore by using keytool.

     As you own the server, you will have to create a certificate which will uniquely identify your server. As mentioned earlier we are using 'keytool' to generate certificate. The command we will use is as follows:

keytool -genkey -alias TechsNib -keyalg RSA -keypass tibco@TechsNib -storepass tibco@TechsNib -keystore keystore.jks

Summary of options used :

-alias        --> Used to give a name to your key - It should be unique for its purpose.

-keyalg       --> Encryption algorithm type

-keypass     --> Password affiliated to key

-storepass    --> Password affiliated to keystore.jks

-keystore      --> Name of the file which acts as key repository

     Once you run the command you will be asked questions, answer accordingly and confirm details by entering 'yes' then your key called 'TechsNib' will be stored in the repository file 'keystore.jks'.This entry in keystore.jks will have a public as well as a private key.

STEP -2 : Extract public key from JKS file and publish it to client.

     You now need to publish the public key to the world. Use following command to extract the public key from the entry which you created earlier.

keytool -export -alias TechsNib -storepass tibco@TechsNib -file server.cer -keystore keystore.jks

     Once you run the command, The public key,aka certificate will be stored in the file named server.cer. You can give this file to anyone who wants to connect to your server.

STEP -3 : Install certificate Key at server side.

     Open the TIBCO Designer and create a new project. In the project, create an identity (available in General palatte) as shown below by providing the location of keystore.jks file and prefix it with "file:///".

Now create an HTTP connection and configure SSL by providing identity file created in previous step.

Create a sample BW process and drag HTTP Receiver process starter into design panel and configure the HTTP connection(i.e. SSL enabled) created in above step

Client Side Configuration :

STEP -4 : Import certificate key at client side.

     Get the public key certificate file(server.cer) from the server authority which is publicly available and then import the public key into your trust store. The trust store is a repository of all trusted certificates at the client side.

Command :
keytool -import -v -trustcacerts -alias TechsNib -file server.cer -keystore cacerts.jks -keypass tibco@TechsNib -storepass tibco@TechsNib

NOTE : Values which are passed for -alias, keypass and storepass are local, mean to say you can provide any value.

STEP -5 : Install certificates at client side.

     Using TIBCO designer, open the BusinessWorks project and create an identity(available in General tab) and update the configuration by locating cacerts.jks file location as below :

In BusinessWorks project, import the public certificate using menu option :

Tools--> Trusted Certificates --> Import into PEM format and locate server.cer public key certificate file and then press OK and you can find Trusted Certificates in your destination folder as below :

Create a sample BW process and drag Send HTTP Request activity into design panel and configure SSL by providing Trusted Certificates folder and client identity as below :

Test Client and Server Communication :

     Using TIBCO Designer, open the BusinessWorks project and load both client(TestHTTPSender) and server(TestHTTPReceiver) processes and once you trigger request to client process then perform a SSL handshake and finally receives success response from server.

NOTE : While loading client process,observed that 'No keys found in keystore' error, So you can proceed with testing by removing client identity from Send HTTP Request SSL configuration and can receive success response. We will explore more on this error and update you if we find any solution, even you can revert back to us for any solution/updates on this error. Thank You!!!

    Here in this solution we have maintained Trusted Certificates inside the project but where as we can maintain them outside of project to remove dependency with project. You can refer this at How to store trusted certificates outside of your project

More info ...

You can refer TIBCO BW process design guide pdf Click Here and search for "Working With Secure Sockets Layer (SSL)" to get better idea on:

  • List of Connections (FTP,HTTP,JMS,RV) and Activities (Send HTTP Request,SOAP Request Reply) which uses SSL.
  • Identity Resources - Can be used to store one of the following types of identities.
    1. Username/Password
    2. Certificate/Private Key
    3. Identity File
  • To know about Trusted Certificates
    1. How to add certificates to your project
    2. How to store trusted certificates outside of your project




1 comment:

back to top