• No results found

Usage of Evaluate Client Certificate with SSL support in Mediator and CentraSite

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Usage of Evaluate Client Certificate with SSL support in Mediator and CentraSite"

Copied!
9
0
0

Loading.... (view fulltext now)

Download now ( 9 Page )

Full text

(1)

a. b. c.

1. 2.

Usage of Evaluate Client Certificate with SSL support

in Mediator and CentraSite

Introduction Pre-requisite Configuration

Configure keystore and truststore Asset Creation and Deployment Troubleshooting

Introduction

We have to use the Evaluate Client Certificate with SSL support run-time action only if we want to invoke the virtual service in secured port(HTTPS) and ensure that all messages use SSL protocol.

When this policy action is set for the virtual service, Mediator ensures that requests are sent to the server using the HTTPS protocol (SSL). The policy also specifies whether the client certificate is required. This allows Mediator to verify the client sending the request. If the policy requires the client certificate and if it is not presented, Mediator rejects the message.

When a client certificate is required by the policy, the Integration Server HTTPS port should be configured to request or require a client certificate.

Pre-requisite

This tuorial expects the users to have basic knowledge about the mediator and runtime scenarios. Create a web service asset in CentraSite

Create a target instance in CentraSite pointing to the intended mediator deployment uri where its hosted. Create and Enable the HTTPS ports in Integration server to be usable in the mediator configurations.

Configuration

Make sure that the security configuration is done in Mediator,For further guidance on that how to configure keystore and trust store refer the section below or look for —Securing Communications with the Server in the —webMethods Integration Server Administrator's Guide. Enable the HTTPS port created in the Integration Server ports settings at the Mediator General page of the Mediator Administration screen.

(2)

1. a. b.

If we want to deploy virtual services with the security policies apply,we have to first setup the security configuration settings in Mediator. Go to the Mediator and click on Security > Key store, By default you would not find any information related to keystore added out of the box. Click on create keystore alias and and provide the certificate information as given below in the screen shots

Provide the location of the keystore you wish to use,for this demo we are using a test keystore Provide the password for the keystore in the Password/Re-type passwod section

(3)

1. b. 2. a. b. c. 3. a. b. c. d. e.

Once the key store alias is configured, you will find that information in the key store list. Now create a trust store alias by pointing to the "cacert" in the same location.

C:\SoftwareAG\IntegrationServer\instances\default\packages\WmMediator\config\resources\security\cacerts password would be "changeit"

Note: This trust store should have the information about the client certificate used in runtime, If its not there please import the

certificate to the truststore.

Once the keystore and truststore are configured we should configure the client certificates by specifying the certificate path.

In Mediator, if user authenticate against X.509 certificate, user has to map with certificate. Below is the configuration step to map the user.

Go to location to where the certificate is available and select it.

Select the user as "Administrator" or any valid IS user by searching the users in the configuration section by clicking the search icon next to search field.

(4)

3.

e.

4. Now configure the security information in Mediator. Open the Mediator console

Go to General

Configured Keystore and truststore information will be listed here. Choose the appropriate one.

Asset Creation and Deployment

Create a webservice and then click on Virtualize action in the Action's bar which would open the Virtualization screen as below, Provide the Virtual Service name and then select the endpoint which you want to create the proxy service

(5)

Once you click on the next button in the Message flow "Receive" select the option HTTP and HTTPS if you want to have support for both the transports

In the same configuration screen under the Policy Enforcement section in the accordion drag and drop the policy action "Evaluate Client Certificate for SSL Connectivity" to the "Enforce" section.

Under which you would find the mechanisms in which you can identify the consumers from, for this use case we have selected the "Registered Consumers".

(6)

Click on Edit Action and then add the certificate you wish use as part of the consumer list.

Now for the consumer application to be used as a consumer for the virtual service that we created, Go back to the virtual service and then click on the "Consume" action and search for the application in the consume dialog.

Once the Consume action is successful you should be seeing an increment in the list of consumers in the Basic Information profile of the Virtual service.

(7)

Once done you can now proceed to publish the asset to the desired mediator instance.

After successful deployment we can verify in the mediator administration screen about the virtual service and the consumer associated to it.

(8)

<enforcement-actions allow-anon="false">

<expressions>

<expression>

<params identify="strict" type="httpsCertificate" />

</expression>

</expressions>

</enforcement-actions>

Service invocation request should look like this.

POST

https://127.0.0.1:9797/ws/VirtualService_EvaluateClientCertificate.VirtualService_Eval

uateClientCertificatesoap12https HTTP/1.1

Content-Type: application/soap+xml;charset=UTF-8;action="urn:sayHello"

Content-Length: 282

Host: 127.0.0.1:9797

Connection: Keep-Alive

User-Agent: Apache-HttpClient/4.1.1 (java 1.5)

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"

xmlns:axis="http://ws.apache.org/axis2">

<soap:Header/>

<soap:Body>

<axis:sayHello>

<!--Optional:-->

<axis:name>Testing evaluate client certificate demo</axis:name>

</axis:sayHello>

</soap:Body>

</soap:Envelope>

Invocation response

HTTP/1.1 200 OK

Content-Type: application/soap+xml; charset=UTF-8; action="urn:sayHello"

Content-Length: 274

<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope

xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope"><soapenv:Body><ns:sayHelloResp

onse xmlns:ns="http://ws.apache.org/axis2"><ns:return>Hello

9999</ns:return></ns:sayHelloResponse></soapenv:Body></soapenv:Envelope>

Troubleshooting

S.No Message Reason Steps to be taken

1. Access Denied exception The HTTPS port used for invocation is not enabled to be allowed by default

Change the access mode from Deny+ to allow by default under the Ports Configuration

VSD snippet

(9)

2. Consumer not identified The certificate used in the consumer application and the certificate passed in the soap request from the client is not matched

Check for the certificate being passed from the client.

3. Service requires SSL mutual authentication while executing operation

Certificate is not present in the SOAP request Check if the certificate is present in the soap request

4. Service requires SSL mutual authentication while executing operation

Certificate is not present in the SOAP request, if present check the latest WSStack Fix level

There has been a known issues fixed in known WSSTack fixes.

5. No Certificate was sent over HTTPS transport

Identify Consumer using HTTPS Certificate requires communication over HTTPS transport

The "Use JSSE" flag is set to "true" Under the HTTPS port configurations the check if the "Use JSSE" flag is set to true if yes then reset it to false and enable the port.

6 Service requires SSL mutual authentication while executing operation

Certificate is not passed to the native service, The Client Authentication is set as

"Username/Password"

Change the client authentication mechanism to "Request Client Certificate" or "Require client certificate" under the HTTPS port configuration in IS

References

Download now ( PDF - 9 Page - 433.17 KB )

Related documents

DEVELOPMENTS FOR OUR EMPLOYEES

the corporate organisation have committed to finding work for a defined number of people at a distance from the labour market within their organisation, with the following

Video header compression for wireless communications.

Figure 6.11: Scenario A: O bjective video perform ance com parison for Forem an sequence o f proposed scheme w ith the H.264 standard at various channel conditions and

Kofax Front Office Server Administrator's Guide for Kyocera MFPs Version: Date:

If you are using SSL and want the Kofax Kyocera client to validate the certificate, import the certificate for the server used by Kofax Front Office Server to the MFP and then set

Palliative Medicine and The Nurse Practitioner

Palliative care clinic/office setting Palliative care mobile medical / home visits Palliative care in SNF 27.. The Nurse Practitioner Role as an member of a in-

(Yumi) A short paper explaining its asymmetry. presented by Graham Ashton. Date: September 1997

Diagram 6 shows what a symmetrical longbow, typical of Norman archers, looks like at full draw. This diagram shows that at a point approximately 1/4 # of the way up from the

Gesture-based customer interactions: deaf and hearing Mumbaikars’ multimodal and metrolingual practices

The auditory-oral modality does have a visual component: there were examples of both deaf and hearing people lipreading key terms within particular contexts; and deaf

About AMES. Let AMES IT Academy be your first choice for quality Information Technology training

Certificate in Computing, Technical and Client Support 8 Certificate in Windows Server Administration 10 Certificate in Networking Devices Administration and Support

Network Authentication X Secure the Edge of the Network - Technical White Paper

This public key (as part of the certificate) is send to the server and used to encrypt the communication between the client and server.. The requirement for a client-side