I have created a package which contains a number of flow services including several consumer WSD pointing to the provider’s services. The WSDL for the consumer service is pointing to a development server. When promoting my package is there something I need to do in webMethods Designer so I can seemlessly install my package and have the consumer services pointing to the right location, e.g QA and Production?
Outside of webMethods I know how to deal with multiple WSDL’s pointing to dev, qa, and prod. Not sure how to do this in webMethods? If it is a matter of RTFM can someone point me to the right material.
Thank you and I appreciate all of the help during this initiation to webMethods
This is where the “web services endpoint aliases” comes handy - butit only works if the web service path remains the same among the environments. Example:
If the WS path changes between the envs, then you’re out of luck. You’ll have to use the _url and _port parameters (found in any web service connector the Designer created).
If you’re lucky, then you can use this web service endpoint [alias]:
create the web service endpoint alias - refer to the Integration Server Administrators Guide (xx-x_Integration_Server_Administrators_Guide.pdf), on the section related to the “Configuring Endpoint Aliases for Web Services”;
the you go into the Designer and relate the WS’s Binder to the web service endopint alias create in the IS Admin. Refer to “Assigning a Web Service Endpoint Alias to a Binder” in the webMethods Service Development Help (xx-x_Service_Development_Help.pdf))
Let me expand on my question. When developing flow/java services in the Designer is it best to create the consumer service pointing to the http connection or https? I would think the later would be sufficient and then set up the web service alias.
I can’t say that developing the integration using HTTP or HTTPS makes no difference at all: troubleshooting is by far easier when you don’t have HTTPS in the middle.
However, given all worries related to information security, you’ll have to deal with HTTPS/SSL sooner or later.
I am a little confused when it comes to the Designer. I have 2 integration servers where one has the providers services residing and the other server is for me to do my custom development. Due to various reasons using https is preferred. When I create a new web service description for a consumer service pointing at https://{provider service}:{port} I get a javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target error. I have overcome this once but it returns after restarting Designer. What I have done is taken the public certificate from the providers server and ran keytool to create the keystore. In Designer I have updated the config.ini and added the javax.net.ssl.trustStore to it pointing to the jks file created by keytool. If I have Designer up I shut it down and start it back up. I create a test consumer service and it works fine, but once I delete it and try to create a new consumer service with the same WSDL URL it gives the above error. What am I missing as this is really getting annoying. I have RTFM and also looked at prior topics posted in the forum.
The questions I have is:
Do I need to have both servers certificates added to my local machines keystore
To have everything work seamless I assume I would add a keystore and truststore alias to the server which calls the provider correct?
Finally should I develop via Designer creating consumer services using http then create a web service alias that references the HTTPS?
Based on what you’ve described, you have two Integration Servers (IS), one playing the ‘provider’ role and the other, the ‘consumer’ role
Additionally, as you also do you development, and you refer to it as ‘Designer’ - if I’m guessing correctly, you actually have what is also referred as a “local development environment”, where you have, on you notebook/desktop the Designer, connected to an IS that happens to be residing on the very same box the Designer is.
Do I need to have both servers certificates added to my local machines keystore
To have everything work seamless I assume I would add a keystore and truststore alias to the server which calls the provider correct?
Well, it depends. Let’s first lay down the names:
your development IS, playing the “WS consumer” role - WSC;
the IS playing the “WS provider” role - WSP;
you you’re using “non-mutual-credential authentication”, install the certificate’s certification path certificates (the certificates found in the WSP) on the WSC’s IS.
If you’re using the mutual-credential auth, then you’ll have to install the certificates on both.
I recommend installing these certificates in truststore, instead of meddling with the OOB one: IS Admin > Security > Keystores.
Finally should I develop via Designer creating consumer services using http then create a web service alias that references the HTTPS?
Reasonably accurate on environment. I have the SAG Designer on my local desktop and it connects to WSC where I have developed a flow service. The flow service will call WSP. Currently my flow service is using HTTP but I need to switch it to HTTPS. We have our own CA not OOB, which I have created the JKS to be referenced in the keystore on WSP. Then on WSC I have added a CA (different from WSP) for keystore, which is referenced to the secure port. I have also added the jks from WSP to WSC which is probably wrong right?
Using SoapUI I am able to successfully send a request to WSP via HTTPS with no issues. The real issue is SAG Designer on my local desktop when I try to create a Web Service Descriptor (consumer) using the https URL for WSP.
I ran a quick test after taking the WSP cert and loading it into my keystore again. I then started SAG Designer and was able to create a consumer service, but when I go to the WSDL tab it has a ValidatorException. If I recall the last time I had this issue I rebooted my desktop and it finally showed up. I am tempted to blow away my workspace as I ponder if that is the issue too.
Your patience (I am sure is getting thin) is appreciated.
I am not sure it is a solution but it works for now. In my scenario I have a local install of SAG Designer on my computer which I use to connect to the Integration Server (IS) where I develop my flows. These flows will call the SOAP service the provider has published on their IS server. Everything is using a secure connection with unique username/passwords.
Terminology:
consumer IS is the integration server containing the consumer web service
provider IS is the integration server containing the provider web service
Running SAG Designer locally on computer/desktop:
Get public key from consumer and provider integration servers.
a. Unclear why a local instance of Designer required provider’s IS public key but it was necessary.
Create keystore and import the certificates keytool -importcert -trustcacerts -keystore mystore.jks -file provider_isserver_pubcert.pem -storepass {password}
a. Repeat for second certificate. When there are 2 or more certificates use an alias.
b. To check the keystore keytool -list -keystore mystore.jks -v
Add the following 2 lines to the ~\Designer\eclipse\configuration\config.ini:
Since the consumer web service needs to communicate via a secure (https) connection it was necessary to add the provider’s public certificate to the consumer IS keystore. I had access to the on-prem provider server so I just took the JKS files for both keystore and truststore and added it to my consumer IS keystore. This is not usually how it would work, but it was a unique situation. Normally one would get a public key and then it would be added to the keystore of the server.
After getting the keystore in place I needed to create a web service alias on the Consumer IS. This will be used in the SAG Designer WSD Binders Port Alias. Keep in mind the Transport should be https otherwise it will not show the web service alias created in IS from what I have seen.
That is about it. I have other questions but for now this is what works for me in the development environment. If someone want to have all developers working on the same server SAG Designer supports this also. Add the following line: osgi.configuration.area=$user.home$/.eclipse/Designer_103 to the config.ini in ~\Designer\eclipse\configuration.
Unclear why a local instance of Designer required provider’s IS public
That’s because the local IS (your WSC) needs to validate the WSP’s certificate, since the WS consumption is being done using HTTPS; and by design, HTTPS connections only can be established when the “client” can confirm that the certificate provided by the server is valid (I’m aware that there are some switches [on some frameworks] to work around the restriction). Such validation is done using the pub keys stored in the trust keystore in the WSC. An analogy: your browser can access a site’s HTTPS because the site’s certificate CA is already available in your Windows trust store.
took the JKS files for both keystore and truststore
Allow me to share some past experience:
(not sure on which IS version, perhaps 9.6?) I had to import all the certificates from the certificate’s “certification path” (e.g suppose a certificate being signed by an intermediate certificate authority (ICA), and this ICA is signed by a CA. By "all the certificates from the certificate’s “certification path”, I’m referring to all these 3 certificates) into the trust store.
However, more recently, using the 10.3, I had only to import the root CA’s certificate and the connection worked (albeit this has been done to consume a REST service, but it was over an HTTPS connection and, therefore, the same mechanism applies)
I am running 10.3. Just to get clarification on what is a WSC. If there are 2 Integration servers with one containing the Provider WSD (WSP) and the other server contains the Consumer WSD (WSC) then the WSC needs to have the WSP public cert added to its keystore.
The SAG Designer which is not running on the integration server for WSP nor WSC, just on a local desktop is a client to the integration server for WSC. Wouldn’t it only need the cert for WSC as it connects via HTTPS? The actual execution is initiated on the integration server of WSC for WSP not the local desktop.
In summary, the Designer a client to the integration server is requiring the cert for both the provider and consumer integration servers, where I would have thought it only needs the consumer to satisfy its connection to it. It has been a number of years but I don’t recall having the WebSphere Message Broker toolkit needing both cents when it only is a client to the broker.
Either way it works and I am moving forward (somewhat) on the newly built environments. Unlike before it’s more secure and consistent across the board.
When WSC invokes the service on the WSP over HTTPS, it only needs to know the CAs of the certificate, not the certificate itself. CAs are either stored in the cacerts file of the jvm or in the central truststore of the IS.
It is possible to create additional truststores (aliases) for specific connections.
Designer will only require the certs (and CAs) of WSC and WSP when importing the WSDs from them over HTTPS or when executing the services locally, but not for invocation from WSC to WSP (even when initiated from Designer for some reason).
