• No results found

How to Implement Two-Way SSL Authentication in a Web Service

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "How to Implement Two-Way SSL Authentication in a Web Service"

Copied!
6
0
0

Loading.... (view fulltext now)

Download now ( 6 Page )

Full text

(1)

How to Implement Two-Way SSL Authentication

in a Web Service

(2)

Abstract

You can configure two-way SSL authentication between a web service client and a web service provider. This article explains how to configure the SSL authentication with an Informatica Data Services web service and a soapUI web service client.

Supported Versions

¨ Informatica Data Services 9.1.0

Table of Contents

Overview. . . 2

HTTPS Public Key Infastructure Components. . . 3

Security in Informatica Data Services Web Services. . . 3

Configuration Tasks. . . 3

Step 1. Create Web Service Provider Keystore File. . . 4

Step 2. Create a Keystore File for the Client Certificate. . . 4

Step 3. Import the Certificates in the Trust Store. . . 4

Step 4. Configure the Data Integration Service for Two-Way Authentication. . . 5

Step 5. Create a Web Service Client with SoapUI. . . 5

Overview

When a web service provider or web service client sends data over the network, the data is subject to security risks. To reduce the risks, the web service provider or client must resolve the following security issues:

¨ Authentication. Verify the identity of the user transmitting data and the origin of the data. ¨ Confidentiality. Prevent third parties from deciphering intercepted data.

¨ Data Integrity. Ensure that data is not lost, modified, or destroyed during transmission.

To ensure confidentiality and data integrity, you can configure security at the message transport level. Configure a secure connection for the SOAP messages transmitted between the web service provider and the web service client. Use HTTPS to ensure the integrity and confidentiality of SOAP messages and provide point-to-point security.

This article describes the following processes:

¨ Create a keystore with the keytool utility. Generate a self-signed certificate for a secure Data Integration Service. ¨ Generate a web service client certificate using the keytool utility.

¨ Import client and server certificates to a trust store.

¨ Configure the Data Integration Service for two-way SSL authentication. ¨ Use the soapUI tool to consume a web service.

(3)

HTTPS Public Key Infastructure Components

An HTTPS connection uses a public key infrastructure (PKI) to ensure security for message transfer between the web service provider and the web service client. Typically, PKI includes the following components:

¨ Authentication certificate. A digital certificate that a certificate authority (CA) provides to verify and authenticate parties in internet communications. A certificate authority is a trusted, independent third party that issues digital certificates. A keystore contains digital certificates from a CA. A digital certificate can also be a signed certificate that the web service provider generates.

¨ Trust store. A file that contains authentication certificates that a client uses to authenticate messages from the web service provider.

¨ Client store. A file that contains authentication certificates that a web service provider uses to authenticate messages from the web service client.

Security in Informatica Data Services Web Services

To ensure transport layer security for web services in Informatica Data Services, the web service client authenticates the web service provider and vise versa. In two-way SSL authentication, the SSL client application verifies the identity of the SSL server application, and the SSL server application verifies the identity of the SSL client application.

Two-way SSL authentication is also referred to as client authentication because the SSL client application presents a certificate to the SSL server after the SSL server authenticates itself to the SSL client.

The following figure shows the certificate configuration for two-way SSL authentication between applications:

Configuration Tasks

Before you can create the example described in this article, you must install Informatica Data Services and deploy a web service to a Data Integration Service.

To complete the examples in this article, perform the following steps:

1. Create a keystore file for the web service provider certificate using the keytool utility. 2. Create a keystore file for web service client certificate using keytool utility.

3. Import the certificates in the trust store using the keytool utility. 4. Configure the Data Integration Service for two-way authentication. 5. Use soapUI to create a web service client.

(4)

Step 1. Create Web Service Provider Keystore File

Use the keytool utility to generate a keystore containing a signed digital certificate to use with a secure web service. Keytool is a key and certificate management utility that you can use to generate and administer private and public key pairs and associated certificates for use with the SSL security protocol. By default, keytool stores the keys and certificates in a file called a keystore. The file is secured with a password.

For information about using the keytool utility to generate a keystore, see the following website: http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html

1. Open a command prompt and navigate to the following directory: %JAVA_HOME%/jre/bin

2. Run the following command to generate the key:

keytool -genkey -alias <KeystoreAliasforserver> -dname "CN=<CommonName>, OU=<OrganizationUnit>, O=<OrganizationName>, L=<Locality>, S=<State>, C=<Country>" keyalg RSA keypass <KeystorePassword> -storepass <StorePassword> -keystore server.keystore

3. To export the key to the server.cert security certificate file, run the following command:

keytool -export -alias <KeystoreAliasforserver> -storepass <StorePassword> -file server.cert -keystore server.keystore

If the command is successful, the command prompt displays the following message: Certificate stored in file server.cert.

Step 2. Create a Keystore File for the Client Certificate

Use the keytool utility to generate a keystore containing a signed digital certificate for a web service client. 1. From the command prompt, run the following command to generate the key:

keytool -genkey -alias <KeystoreAliasforclient> -dname "CN=<CommonName>, OU=<OrganizationUnit>, O=<OrganizationName>, L=<Locality>, S=<State>, C=<Country>" keyalg RSA keypass <KeystorePassword> -storepass <StorePassword> -keystore client.keystore

You can use the client host name as the keystore alias and the DN common name. Use the values appropriate for your organization for the other DN elements.

2. Run the following command to generate client certificate in PKCS12 format:

keytool -genkey -alias <KeystoreAliasforclient> -dname "CN=<CommonName>, OU=<OrganizationUnit>, O=<OrganizationName>, L=<Locality>, S=<State>, C=<Country>" -keyalg RSA -storetype PKCS12 -keypass <KeystorePassword> -storepass <StorePassword> -keystore client.p12

3. Run the following command to export the key to a security certificate file named client.cert:

keytool -export -alias <KeystoreAliasforclient> -storepass <StorePassword> -file client.cert -keystore client.p12 -storetype PKCS12

If the command is successful, the command prompt displays the following message: Certificate stored in file client.p12

Step 3. Import the Certificates in the Trust Store

Import the client and server certificates in the trust store with the keytool utility.

1. Run the following command to import the contents of the server.cert file to the client trust store file: keytool -import -alias <KeystoreAliasforserver> -keystore client.keystore -file server.cert

The keystore utility prompts you to enter a keystore password. The keystore password is the value of the keypass parameter from Step 1.

(5)

2. Run the following command to import the contents of the client.cert file to server trust store file: keytool -import -alias <KeystoreAliasforclient> -keystore server.keystore -file client.cert

The keystore utility prompts you to enter a keystore password . The keystore password is the value of the keypass parameter from Step 2.

Step 4. Configure the Data Integration Service for Two-Way

Authentication

Configure two-way authentication in the Administrator tool. Edit the security options for the Data Integration Service. 1. Open the Administrator tool.

2. Select the Data Integration Service in the Domain Navigator. 3. Click the Processes tab.

4. In the Service Process Properties, edit the Data Integration Security Options.

5. Enter a HTTPS Port number and click OK.

6. Click HTTP Configuration Options and enter the following fields:

Field Description

Keystore file Path to the server.keystore file. Keystore password Keypass for the server.keystore file. Trust store file Path to the server.keystore file. Trust store password Keypass for the server.keystore file. 7. Click OK.

Step 5. Create a Web Service Client with SoapUI

Create a web service client using the soapUI tool.

SoapUI is an open source web service testing tool that you can use as the web service client. Before you can import a WSDL to a soapUI project, you must configure the SSL settings.

(6)

3. Enter the keystore password.

After you configure the SSL settings, you can import the WSDL to the project and run the web service.

Author

Sumeet K. Agrawal Senior QA Engineer

References

Download now ( PDF - 6 Page - 332.30 KB )

Related documents

Developers Integration Lab (DIL) Certificate Installation Instructions. Version 1.4

keytool -import -v -trustcacerts -alias AEGISROOTCA -file AEGISROOTCA.pem -keystore cacerts.jks -keypass changeit -storepass changeit.. * Enter “yes” or “y” to

DOCUMENTUM CONTENT SERVER CERTIFICATE BASED SSL CONFIGURATION WITH CLIENTS

Select Use certificates check box it will display keystore filename, keystore password file name, Trust store file name, cipher list etc entries in the same page.. Need to change

Contextual study of VC and PE investments: the case of Norway

In order to find an answer to the research question formulated above, we have chosen to study the following variables available in the CSI database: 1) sales revenues, 2) payroll

File Import Client User Guide

• If data contained within the Employee Profile import exceeds the length for the field as indicated in the File Layouts in Appendix A – Import File Fields.. and Formats, page 17,

Version 9. Generating SSL Certificates for Progeny Web

keytool -import -trustcacerts -alias {ALIAS FROM STEP 3} -file {CERTIFICATE FILENAME} -keystore {CERTNAME}.jks –storepass

Creating an authorized SSL certificate

Keytool: Import of the root certificate in the keystore When prompted, give the password as specified in step 1 (Example: “changeit“). Possibly you will be informed that the

Patterns of inward FDI in economies in transition

This article analyses the contribution of foreign direct investment to structural change in various groups of economies in transition: new European Union member

Overview of Web Services API

The keystore contains the SSL certificate that the Cisco IPICS server uses to verify its identity when a client attempts to connect to the server, and the URL for the web