Hello,
Since I don’t have required experience and knowledge for this thread, I will very appreciate if you could provide for me any suggestions or instructions.
I will start with details about technical environment:
- webMethods Integration 7.1.3 version (we are planning to make migration till newer version of IS)
- Java Version is 1.5.0
- OS is Windows Server 2008 R2
The customer has created an SOAP WebService provider available in public WAN, and we got an request to create workflow (including SOAP WebService consumer) which will consume customer WS operations. Since this workflow contains sensitive data, customer is focused on security and had requested an CSR file from us.
The transport protocol going to be HTTPS, with two-side authentication, so the client expects a server certificate to check. Afterwards the public key will be placed under the message and is checked at customer side, to validate it’s sender (our workflow)
Hence the questions:
- is there ready solutions (out the box) to create server certificate and basing on that, create expected CSR file (certificate signing request)
- The customer certificate could be downloaded and added to Trust Store, but how about our server certificate? Does it need to configure as WSS Handler in SOAP WS Consumer Descriptor?
Hi Alexsandrs,
please make sure that you have the latest fixes applied (at least IS-Core-Fix27 and related SCG-Entrust-Fix/SCG_Security_Fix.)
This is neccessary for the migration anyway and it gives you the possibility to disable SSL Protocols for both directions.
For the certificates:
1)
Get OPENSSL donwloaded (for windows in your case) and installed.
Create a private key and a csr for your host.
Your partner should do the same for theirs.
Question: Who will sign these csr´s? Is one of you having a company specific CA-Issuing department?
-
Check under IS-Admin->Security->Ceritificates.
There you can specify the private key, the server´s signed certificate, the CA (by which the certificate was signed) as well as a directory, where additional certificates (like your partners server certificate and related CA).
All these certificates should be formatted as DER-certificate format. OPENSSL or Windows itself can be used for converting.
Refresh the "Trusted CA Certificates Cache".
Additionally you might have to restart your IS.
Then you configure an HTTPS-Port, on which you will listen to the WS-Calls from your partner.
There is no need to set any WSS Handlers, when only transport security with Basis Authentication is used.
Just one more question about the workflow:
Is this just logic in the IS/ProcessEngine or is this a real workflow using TaskEngine (which resides in MWS)?
Regards,
Holger
1 Like
Hello Holger,
Many thanks for your answer on such short notice. Regarding signing, it to be discussed.
Regarding https port, I’m afraid that customer is going to use standard port for https - 443. Configuring this port probably will affect other WS consumers which already using this certificate, or maybe I’m wrong due lack experience in this thread.
This logic is implemented as usual flow code, when the file got converted and in specific scenarios the WS is called.
Kind Regards,
Aleksandrs.
Hi Aleksandrs,
if the IS is to be the WS Provider you can define any port you want and tell the partner which one it is.
For Unix it should be greater than 1024 to get it initialized without being root.
If your partner is the WS Provider you can just connect to their server by using the port 443.
The certificate is not specific to the port being used, but it should match the host name (or the related alias) of the host your are connecting to.
You and your partner will need at least 2 server certificates, one for each side.
If it comes to client authentication based on certificates instead of username/pw, there might be additional client certificates involved.
Regards,
Holger
1 Like
Hi Holger,
Thanks it make more sense, that I could use the Web Service Endpoint Alias for our SOAP WebService consumer.
I assume that there will be user/pwd authentication with required two-side certificate authentication.
I will keep you updated.
Kind Regards,
Aleksandrs