Secure HTTP over SSL (HTTPS) with Client Authentication

Hi,

We have a requirement to invoke external partners synchronous webservice(SOAP) using HTTP over SSL (HTTPS) and also all the communication to be performed with client authentication, or two-way SSL.

Could you please help me with the steps required in the flow service.

Thanks

Please register the certs and key in IS cert store.
You can configure that using “Certificates” section on the IS Admin console.

Restart IS once you have copied all the certs to the cert store and updated the configuration on the above mentioned page. (somehow the refresh cache setting does not work for me)

The you can use the soap api to call the service.

Hi

I also have to set up SSL(2 way specifically) for HTTP calls to a partner. Is it possible to have more detailed explanations about using “Certificates” sectiob that way and also about how to set it properly programmatically(ie using IS services such as setKeyAndChain)?

Best regards.

Roger,

What is the exact issue you are facing any error in the logs with increased logging level for SSL?

Are you not clear on the Certs configuration in the IS and you are trying to send/receive traffic via HTTP/S 443 enabled port?

Also what is your IS version?

HTH,
RMG

Hi

Webmethods version is 8.0. Our partner wants us to be able to send HTTPS request using client authentification (ie 2 way SSL). Being familiar with webmethods in general but not so much with SSL, after a few research I came across the enclosed guide(8-0-SP1_Administering_Integration_Server.pdf) So I figured that performing all the steps labelled with “Required for one-way and two-way SSL connections” should do the trick (I guess). From what I’ve read it seems like I’ll have to set an HTTPS port, which surprises me because I thought HTTPS ports were used in a client/server exchange in which the Integration Server is the server. So far I managed to install an apache server locally, and configure it to use a certificate and also to require a valid certificate chain from the client before accepting a connection (as explained on apache site). I don’t really know what to do next. I am still trying to understand the guide.

Best regards

Hi

I’ve extracted the certificate file from the keystore used in the apache server.
I imported this certificate inside The integration Server (Security > Certificates > Configure Client Certificates) as explained in the guide (http://techcommunity.softwareag.com/ecosystem/documentation/webmethods/wmsuites/wmsuite8_ga/Integration_Server_and_Process_Engine/8-0-SP1_Administering_Integration_Server.pdf).
I associated it with a user. Now When I try to send an HTTPS request to the server via pub.client.http (with the user associated to the certificate)I get the error: java.net.SocketException: Broken pipe. Actually I am not even sure that test is relevant. I’ve worked on the subject for a few days, I am kind of stuck and I start to worry!! I wouldn’t mind a little help.

Thanks in advance

Hi again

If somebody could explain to me how to proceed step by step that would be great!

Thanks

Hi Roger,
For two way SSL authentication you should have your server public and private certificate and your clients public key complete chain (root, intermediate and leaf).
→ If you are using TN then you can configure your server private key on Enterprise profile and client’s and your server certificate on IS → Security → Certificates and map to the users.

→ if you are not using TN then configure keystore and trust store as well.

Hi,

We are trying to post a message using HTTPS . We are getting an error “iaik.security.ssl.SSLException: Server certificate rejected by ChainVerifier” when we tried to deliver.
We maintained the following checklist:

  1. Created self signed certificate and configured the trust store and keystore
  2. Configured the certificates in the Client Certificates page
  3. Configured and mapped the client.http service with URL, method, LoadAs,data and Header as Content-type

Is it necessary to provide the certificates when we are sending the message via HTTPS ? Is there any other configuration needed?

Please advise.

Regards,
Nitin

Hi Nitin,

please share your wM Version.

Please check the receiving server that he can trust your self signed certificate.

This self signed is used as a server certificate in this case.

Additionally make sure that you have a truststore in your IS allowing the certificate of the receiving Server to be trusted by you.

See IS Administration Guide for further informations about securing HTTPS-Connections.

Regards,
Holger

Hi Holger,

Thanks for the quick response.
We are using wM 9.6 on both the systems. We have also used the “setKeyAndChain” service and extracted the keystore information in the pipeline of the posting service, yet i got no change in the error message.

Is there any other configuration that we need to do? Or any other service we need to invoke for the certificate details, since we are using a self signed certificate on both the ends

Thanks in advance
Nitin

Hi,

Though this is a late reply, I am trying to list out the steps that we need to do for configuring mutual SSL on Webmethods, hoping it may be useful for other developers in future. All the below steps are applicable when Integration Server is acting as SSL Server.

i) Obtain the Private Key and Public Key (SSL Certificate) from Certification Authority (CA). You can also generate your own certificates using tools like OpenSSL. (Generating your own certificates may not be a good option in case if the SSL client is an internet facing application like a browser).

ii) Also obtain the certificate of the authority who is providing your SSL certificate (root certificate). (you can do this by opening your SSL certificate in Windows and exporting the root certificates from certificate dialogue).

iii) Generate the Keystore file using the private key and public key (step i) either in JKS or PKCS12 (.pfx) formats using Keytool (which ships with JDK).

iv) Create a Truststore file using the root certificates (obtained in step ii) using the Keytool.

iv) Create Keystore alias in admin console through Security => Keystore => Create Keystore alias selecting the Keystore file which you created in step iii

v) Create Truststore alias in admin console through Security => Keystore => Create Truststore alias selecting the Truststore file which you created in step iv.

vi) For mutual SSL you have to obtain the below certificates from client.
a. Client SSL Certificate
b. Certificate of the CA which is issuing your client certificate

vii) Create a user through Security => User Management granting him the access which he needs to access the resources over SSL link.

viii) Configure your client certificates (obtained in step vi) through Security => Certificates => Configure Client Certificates assigning it to the user which you created in step vii and choosing SSL Authentication in usage.

ix) Create a SSL Port through Security => Port => Add Port => webMethods/HTTPS using the Keystore and Truststore aliases created in the above steps. Choose whether to Deny by Default/Allow by Default based on your requirements. If you choose Deny by Default, you have to add the resources which you want to expose over the port have to be added in the Allow List.

x) Enable the port and share your SSL certificate and the Certificate of your signing CA (root certificate) with your client and you are all set to go…

Hope this helps…

Regards,
Raviteja.