I am trying to setup a HTTPS port that only allows clients with a specific certificate to execute a REST webservice. This will only used internally (within our network) so I am trying to use self signed certs.
I have can setup the HPPTS port (8080) and set to require certs, what I don’t understand is what to setup on the Listner Specific Credentials. If I set this as PrivateKeyStore, key alias for IS server and PrivateTrustStore, just like the RG setup is defined where PrivateKeyStore contains certs for IS server and RG server. it doesn’t work. When I use my PublicKeyStore and PublicTrustStore it allows anyone to connect, regardless of if the system (from browser) has a certificate installed or not.
I don’t entirely understand SSL connections but what am I doing wrong here?
Thanks for your help.
Did you open a this port in RG and linked with Internal IS port with certs?
Do you see any debug information in the logs when SSL security logging enabled?
No this port is not open or used for RG communications, the new port just has the same Listener specific credentials as RG port 8443.
Security Logger is on and includes SSL but I never saw any messages outside of port up and down. I tried changing several “Integration Server” logger settings from Info to Debug but again I either didn’t change the right one or it is not getting this far because the server logs didn’t show any more details either.
We are on 8.2 btw.
Instead of selecting all IS logging can you select specifics like HTTP/S listener to debug etc…
But still I am not sure the behaviour you are seeing is by default as expected or some thing is missing in the design itself or configuration issue.
I believe you must have restarted all the related servers after the ports/certs configuration?
Can you not setup the default Administrator port (5555) to use HTTPS and certificates instead of ID and password? This is essentially what I am trying to accomplish, so only certain Users or systems can access the REST service (_get) from a particular port.
All systems restarted, several times. I didn’t select debug on all IS logging only componenets that seems to relate to HTTPS or SSL, but I never saw any additional logging.
I don’t think I am getting to the point of IS logging as the browser where I am testing this from behaves differently and returns data (sometimes) based on port setup.
I think the problem is occuring with the initial challenge/response which should all be occuring at TCP level, correct?
But you cannot use 5555 as HTTPS…start with using default HTTPS port 443 and test it.
Back to your original requirement: allow a client with self-signed cert to access a specific service.
- set up a HTTPS port, with “require client cert” setting, with “deny by default” mode setting and only allow the service you want to expose.
- create a ACL group, and a user just for this service, assign to it
- load the self-signed cert as client cert, map the user you just created to this cert
- also load the self-signed cert to the trust store of the server (or the one used by this port)
Hope this works for you.
I have q question regarding to the RESTfull service on IS HTTPs port.
Lets suppose I have a https port which is working.I have a RESTful put service which has been tested by a restful client using a http post.
Now how do I prepare this service to accept https requests only?