SSL configuration on Integration server

Balaji_J · March 11, 2016, 7:40am

Hi Team,

We are implementing SSL configuration on Integration server.As part of this implementation,we have followed the below steps:
1)Generated self-sign certs (Private key+ public certificate in p12 for keystore,public key in jks for truststore)
2)Configured the keystore and truststore generated from the 1st step on the Integration server
3)Configured the port settings with the client authentication mechanism as a “require client cert” and enablenabled the port with allow by default.Attached port settings.
4)Before we go on a actual implementation,we wanted to test keeping browser(I.E) as a client.So we imported the public key in browser.
5)Now after all the above configuration we are trying hit the Integration server URL using the browser but we are unable to access the Integration server GUI.We are seeing the error in the screen shot as attached.

Could you please help us to resolve this issue?I can share you the steps we generated self-sign if required.

Quick response is highly appreciated.

Regards,
Balaji.J

Holger_von_Thomsen · March 11, 2016, 1:18pm

Hi Balaji,

you are hiitting a misconfiguration on your IS.

When selecting Client certificates this means that the certificate is used for authentication instead of user/password.

Just configure the certificates under Security → Certificates as SSL certificates.
This enables the SSL encryption for the HTTPS port.

Remember to restart the IS once after the certificates have been added or exchanged (for the case of expiration) to activate them.

Reset the port to authentication type “user/password” and try again.

Regards,
Holger

Balaji_J · March 14, 2016, 10:16am

Hi Holger,

Thanks for your prompt response.

Here my Browser is acting as a client so in this case which certificates u want me to configure under security in the Integration server.I have imported the Integration server public certificate in the browser for accessing IS port.So do you want me to configure the same public certificate for IS under Security → Certificates as SSL certificates.(which is nothing but adding the public certificate of the Integration server itself).Please confirm this approach.

And also our requirement is to implement authentication mechanism as “Require client certificate” and not username/password.

I am going to implement the above said approach and get back to you.Thanks a lot for your support.

Regards,
Balaji.J

Naga_Durga_Prasad_Chillara1 · March 14, 2016, 2:50pm

Hi,

your port configuration is correct. you have to do the following things as well

generate a key pair for client.
import the key pair to browser. this key will be used for authentication.
export the leaf certificate from key pair and do the user certificate mapping on IS.

Regards,
Naga.

Holger_von_Thomsen · March 14, 2016, 4:23pm

Hi,

when configuring the port like this, the server certificate is only available for this particular port.

When configuring under Certificates → SSL certificates, it is available for all HTTPS-port configured.

This might be important when making HTTPS-outbound calls without setting up the certificate chain explicitly in the flow service.

When using client-cert auth there should be an additional certificate for the user/client as Naga has described.

See IntegrationServer Administrators Guide for further informations:

Chapter 7 (Configuring Ports, Section HTTPS Ports)
Chapter 16 (Securing Communications)
Chapter 18 (Authenticating Clients)

Please note that chapter numbering refers to 9.5 SP1 version of the Guide.

Regards,
Holger

Balaji_J · March 15, 2016, 8:33am

Thanks Holger and Naga.

After doing the below configuration, i am able to access the IS GUI having port configured with “required client cert”

1)Imported the key pair in the browser
2)Configured the certificates under security as suggested by Holder (Imported the leaf certificate of the above key pair with Administrator user assigned)

But i have not generated the key pair separately for my browser configuration,instead i used the key pair(p12 cert) generated for IS.
After the above configuration,I am able to access the IS GUI.Thanks guys for your inputs.

I am end up with one more query after the above setup.
Scenario: Let say,i have 2 IS (IS1 as a client,IS2 as a server).Both IS1 and IS2 are configured with the separate keystore and truststore configrations.So now,IS1 is doing webservice call to IS2 (port is SSL configured).In this case just configuring the IS1 leaf certificate at IS2 is fair enough to have this communication?In addition to this, do i need to import the the IS2 leaf certificate in the truststore of IS1?

Please confirm on this.

Regards,
Balaji.J

Naga_Durga_Prasad_Chillara1 · March 15, 2016, 9:28am

Hi Balaji,

as this is two way ssl authentication, you need to do the following

add the IS1 CA (certificate authority ) to IS2 trust store.
add the IS2 CA (certificate authority ) to IS1 trust store

if your key store is a self-signed one, then instead of CA you can upload leaf cert to trust store

after the above tasks, you need to reload the trust store alias and restart the ports if required.

Regards,
Naga