SSL two-way authentication using Universal Messaging

Introduction:

Using Universal Messaging, the user should be able to create Two-way SSL authentication (UM authenticates itself via certificate and require IS to authenticate itself with certificate). This article details the steps on creating the two-way SSL connection alias and publish and subscribe messages using webMethods Integration Server.

Prerequisites

  1. Generate server key, cert, keystore and truststore files using OpenSSL and by following the below commands:
* openssl genrsa -out diagserverCA.key 2048
* openssl req -x509 -new -nodes -key diagserverCA.key -sha256 -days 1024 -out 
   diagserverCA.pem
* openssl pkcs12 -export -name server-cert -in diagserverCA.pem -inkey diagserverCA.key -out 
  serverkeystore.p12
* keytool -importkeystore -destkeystore server.keystore -srckeystore serverkeystore.p12 - 
  srcstoretype pkcs12 -alias server-cert
* keytool -import -alias client-cert -file diagclientCA.pem -keystore server.truststore
* keytool -import -alias server-cert -file diagserverCA.pem -keystore server.truststore
  1. Generate client key,cert, keystore and truststore files using OpenSSL and by following the below commands:
  • openssl genrsa -out diagclientCA.key 2048
  • openssl req -x509 -new -nodes -key diagclientCA.key -sha256 -days 1024 -out
    diagclientCA.pem
  • openssl pkcs12 -export -name client-cert -in diagclientCA.pem -inkey diagclientCA.key -out
    clientkeystore.p12
  • keytool -importkeystore -destkeystore client.keystore -srckeystore clientkeystore.p12 -
    srcstoretype pkcs12 -alias client-cert
  • keytool -import -alias server-cert -file diagserverCA.pem -keystore client.truststore
  • keytool -import -alias client-cert -file diagclientCA.pem -keystore client.truststore

Creating server and client configuration in Integration Server and Universal Messaging

Once we have generated the client and server keystore files we can configure them in IS and UM as shown below.

Configuring Keystore and Truststore alias in Integration Server:

  • In webMethods Integration Server, navigate to Security> Keystore page and click on Create keystore alias and enter the below values:
    Alias: mqttKeystore
    Type: PKCS12
    Provider: SUN
    Location: Complete path of Client keystore file
    Password: Client Keystore password

  • Similarly, create Truststore alias by navigating to Security> Keystore page and click on Create truststore alias and enter the below values:
    Alias: mqttTruststore
    Type: JKS
    Provider: SUN
    Location: Complete path of Client truststore file
    Password: Client truststore password

image

image

Configuring server certificates in webMethods Universal Messaging:

  • In Enterprise Manager, navigate to the ‘Comms’ tab and click on '‘Add Interface’ button
  • Select Type as nsps and enter port 8883 and save changes
  • Select the newly added row for 8883 port and navigate to the certificates sub-tab
  • Update the values as mentioned as below:
    Key store path: Complete path of server keystore
    key store password
    Trust store path: Complete path of server truststore
    Trust store password: server truststore password
    Private key password: key password
    CA store password: truststore password

image

Creating and enabling the 2way SSL connection

image

image

Verifying publish and Subscribe of messages to the topic on UM using Integration Server

  • Launch designer and connect to integration sever.
  • Create package and folder MQTT and MQTT_Test in designer
  • Create publish flow service in MQTT_Test folder using the built-in
    service pub.mqtt:publish.

image

image

  • Create another flow service subscribe to check the server log in integration server if the message is successfully subscribed from MQTT Server Topic
    image
    image
    image
  • Integration Server can subscribe to topics by creating an MQTT trigger. The MQTT trigger receives messages published to the topic on the MQTT server and then invokes a trigger service to process the messages.
  • Integration Server uses an MQTT connection alias to create a connection to the MQTT server. An invocation of the pub.mqtt:publish service requires the MQTT connection alias to publish the message to the MQTT server. Similarly, an MQTT trigger specifies the MQTT connection alias that it uses to identify the MQTT server from which it retrieves messages and on which the trigger creates subscriptions.
    image
  • Run the Publisher service

image

Verify message in server log of integration server

image

1 Like