SSL two-way authentication using Universal Messaging

Spurti_Kumarsarj_Gadag · June 3, 2021, 11:54am

Introduction:

Using Universal Messaging, the user should be able to create Two-way SSL authentication (UM authenticates itself via certificate and require IS to authenticate itself with certificate). This article details the steps on creating the two-way SSL connection alias and publish and subscribe messages using webMethods Integration Server.

Prerequisites

Generate server key, cert, keystore and truststore files using OpenSSL and by following the below commands:

* openssl genrsa -out diagserverCA.key 2048
* openssl req -x509 -new -nodes -key diagserverCA.key -sha256 -days 1024 -out 
   diagserverCA.pem
* openssl pkcs12 -export -name server-cert -in diagserverCA.pem -inkey diagserverCA.key -out 
  serverkeystore.p12
* keytool -importkeystore -destkeystore server.keystore -srckeystore serverkeystore.p12 - 
  srcstoretype pkcs12 -alias server-cert
* keytool -import -alias client-cert -file diagclientCA.pem -keystore server.truststore
* keytool -import -alias server-cert -file diagserverCA.pem -keystore server.truststore

Generate client key,cert, keystore and truststore files using OpenSSL and by following the below commands:

openssl genrsa -out diagclientCA.key 2048
openssl req -x509 -new -nodes -key diagclientCA.key -sha256 -days 1024 -out
diagclientCA.pem
openssl pkcs12 -export -name client-cert -in diagclientCA.pem -inkey diagclientCA.key -out
clientkeystore.p12
keytool -importkeystore -destkeystore client.keystore -srckeystore clientkeystore.p12 -
srcstoretype pkcs12 -alias client-cert
keytool -import -alias server-cert -file diagserverCA.pem -keystore client.truststore
keytool -import -alias client-cert -file diagclientCA.pem -keystore client.truststore

Creating server and client configuration in Integration Server and Universal Messaging

Once we have generated the client and server keystore files we can configure them in IS and UM as shown below.

Configuring Keystore and Truststore alias in Integration Server:

In webMethods Integration Server, navigate to Security> Keystore page and click on Create keystore alias and enter the below values:
Alias: mqttKeystore
Type: PKCS12
Provider: SUN
Location: Complete path of Client keystore file
Password: Client Keystore password
Similarly, create Truststore alias by navigating to Security> Keystore page and click on Create truststore alias and enter the below values:
Alias: mqttTruststore
Type: JKS
Provider: SUN
Location: Complete path of Client truststore file
Password: Client truststore password

Configuring server certificates in webMethods Universal Messaging:

In Enterprise Manager, navigate to the ‘Comms’ tab and click on '‘Add Interface’ button
Select Type as nsps and enter port 8883 and save changes
Select the newly added row for 8883 port and navigate to the certificates sub-tab
Update the values as mentioned as below:
Key store path: Complete path of server keystore
key store password
Trust store path: Complete path of server truststore
Trust store password: server truststore password
Private key password: key password
CA store password: truststore password

Creating and enabling the 2way SSL connection

Verifying publish and Subscribe of messages to the topic on UM using Integration Server

Launch designer and connect to integration sever.
Create package and folder MQTT and MQTT_Test in designer
Create publish flow service in MQTT_Test folder using the built-in
service pub.mqtt:publish.

Create another flow service subscribe to check the server log in integration server if the message is successfully subscribed from MQTT Server Topic
Integration Server can subscribe to topics by creating an MQTT trigger. The MQTT trigger receives messages published to the topic on the MQTT server and then invokes a trigger service to process the messages.
Integration Server uses an MQTT connection alias to create a connection to the MQTT server. An invocation of the pub.mqtt:publish service requires the MQTT connection alias to publish the message to the MQTT server. Similarly, an MQTT trigger specifies the MQTT connection alias that it uses to identify the MQTT server from which it retrieves messages and on which the trigger creates subscriptions.
Run the Publisher service

Topic		Replies	Views
MQTT one-way SSL authentication Knowledge base webMethods , Integration-Server-and-ESB	1	3450	March 17, 2022
Integration Server - IBM Websphere MQ – Universal Messaging End To End Integration Knowledge base webMethods , Universal-Messaging-Broker , Integration-Server-and-ESB , Integration-Server-IBM-Websphere-MQ-–-Universal-Messaging-End-To-End-Integration	1	1229	June 22, 2024
Connecting to UM from External Clients Knowledge base webMethods , Universal-Messaging-Broker , Cloud-Container	0	2632	April 8, 2020
Universal Messaging with MQTT Knowledge base	0	1267	July 3, 2016
MQTT Support and Configuring Integration Server for MQTT Messaging on IS 10.5 Knowledge base webMethods , mqtt	0	1997	October 18, 2019