Introducing the all-new TIBCO Community site!

For current users, please click "Sign In" to reset your password and access the enhanced features. If you're a first-time visitor, we extend a warm welcome—click "Sign Up" to become a part of the TIBCO Community!

If you're seeking alternative community sites, explore ibi, Jaspersoft, and Spotfire.

Jump to content
  • BW6.X - BWCE - Security - How to implement Mutual authentication (two way SSL) in BusinessWorks and BusinessWorks Container Edition


    This article goal is to explain how to set-up an HTTPS configuration with Mutual Authentication (two way SSL) in BusinessWorks.

    The article will cover both the BusinessWorks Server implementation and BusinessWorks Client implementation.

    Overall architecture

    The following diagram is showing the server and client components and their relative keystore and truststore files with their contents.

    1*PmyMsrg7uGQlv2AirO46tw.png

    Note that the above solution can be simplified by using on both sides (server and client) a single Keystore file to hold the private key and the public certificates.

    1*O-pTs6r1nRr98wTzqKwZvA.png

    ### Server Implementation

    Pre-requisites

    To set-up a server HTTPS configuration with Mutual Authentication you need the following elements:

    . The server private key stored in a Keystore file
    . The Keystore file password
    . The private key alias
    . The private key password
    . The client public certificates stored in a Truststore file
    . The Truststore file password

    Example of a Keystore file containing a private key seen in the Key Explorer tool :

    1*G6-iXqd4d8eMdEvdEYfP4w.png

    On the screen shot above you can see the private key alias that is ‘myservice’.

    The private key includes the related public keys.

    1*0aByjv_6UXzaxPOv8b406Q.png

    Details on the Private Key showing the related Public certificates (two certificates in this example)

    Set-up of the BusinessWorks configuration

    Assuming that the configuration to expose the REST API or the Service in plain HTTP is already set-up the following actions need to be completed to change the configuration to HTTPS with Mutual authentication:

    #1 in the HTTP Connector resource check the Confidentiality option

    1*s9yjhEnJeUOOunfoKQaflg.png

    #2 Click on the button to select or create an SSL Server Configuration

    1*VxKtKUlGn3M6_Bva9Web7g.png

    #3 Click on Create shared resource (or select an existing resource)

    1*utKgbMd4HRPrRrfqaMbyIg.png

    #4 Enter a name for the new SSL Server resource and click Finish (if creating a new resource)

    1*jKNKArZlJhqQJSaykoP6Sg.png

    If you create a new resource you can select to use the suggested name or enter a new one.

    #5 In the SSL Server Resource click the button to select or create an Identity Store Provider (pointing to the Server KeyStore file)

    1*QUH6i6rqGEYfi16SP5VZ6w.png

    #6 Click on Create Shared Resource (or select an existing resource)

    1*5uWO2BEoOmT3IQlKaNHRHA.png

    If you create a new resource you can select to use the suggested name or enter a new one.

    #7 Configure the Key Store provider (pointing to the Server KeyStore file)

    Select the Provider (SUN is the default value when nothing is selected), enter the path to the server KeyStore file and the server KeyStore file password (these values should be managed using properties). You may also need to adjust the Keystore type.

    Note that by default BusinessWorks is trying to refresh KeyStore files every hours, this allows a KeyStore to be updated without downtime (this is useful to manage Certificates expiry).

    1*RyaDn80Cs7A8A2rCWpNo5w.png

    # 8 Enable Mutual Authentication and create a KeyStore provider for the TrustStore (pointing to the server TrustStore file)

    Check the ‘Enable Mutual Authentication’ option and set ‘Client Auth Type’ to ‘required’.

    Important note : setting ‘Client Auth Type’ to ‘optional’ is only valid for testing purpose while with this set-up the client public certificates are not verified by the server (which means Mutual Authentication is not enforced).

    Then click the button to select or create a Trust Store Provider.

    1*fX5_0b_Y8kgdbC-BGYnmJg.png

    #9 Click on Create Shared Resource (or select an existing resource)

    1*YjpWRJsh-YwC0mHcEyufbA.png

    If you create a new resource you can select to use the suggested name or enter a new one.

    #10 Configure the KeyStore provider for the Trust Store (pointing to the server TrustStore file)

    Select the Provider (SUN is the default value when nothing is selected), enter the path to the server TrustStore file and the server TrustStore file password (these values should be managed using properties). You may also need to adjust the Keystore type.

    Note that by default BusinessWorks is trying to refresh KeyStore files every hour, this allows a KeyStore to be updated without downtime (which is useful to manage Certificates expiry).

    1*3G8dLyXAFQheQxL3uznIjA.png

    # 11 Complete the configuration of the SSL Server resource

    Enter the Key Alias name and Key password (these values should be managed using properties).

    1*IZyP6f89aiibreY5L_txZg.png

    Note : depending on the security requirements you have to manage you may need to adjust the values of some of the parameters present in the ‘Advanced SSL Server Configuration’ section.

    #12 Save your project and check the configuration

    The HTTP connector resource should look like this :

    1*OGFs3jyY3wDmIj4ubkI45A.png

    The SSL Server resource Configuration should look like this:

    1*sCY_tSFofs3tkLWhAnPi7Q.png

    The configuration of the KeyStore provider resource for the server KeyStore should look like this:

    1*pdJWZCnEQNNeswpk0xwWag.png

    The configuration of the KeyStore Provider resource for the server Truststore should look like this :

    1*xXVZiJO9EG3OMTwX6-A5sQ.png

    ### Client implementation

    Pre-requisites

    To set-up a client HTTPS configuration with Mutual Authentication you need the following elements:

    . The client private key stored in a Keystore file
    . The Keystore file password
    . The private key alias
    . The private key password
    . The server public certificates stored in a Truststore file
    . The Truststore file password

    Set-up of the BusinessWorks configuration

    Assuming that the configuration to call the REST API or the Service in plain HTTP is already set-up the following actions need to be completed to change the configuration to HTTPS with Mutual authentication:

    #1 In the HTTP Client resource check the Confidentiality option

    1*IN2uiG7aZqHONCgJdgqtTA.png

    #2 Click on the button to select or create an SSL Client Configuration

    1*pazo78yE0n8ZicizUNbV1A.png

    #3 Click on Create shared resource (or select an existing resource)

    1*utKgbMd4HRPrRrfqaMbyIg.png

    #4 Enter a name for the new SSL Client resource and click Finish (if creating a new resource)

    1*Tfy1pTWPyH_bU7mkgXOLxw.png

    If you create a new resource you can select to use the suggested name or enter a new one.

    #5 In the SSL Client Resource click the button to select or create a Key Store Provider for the client TrustStore (pointing to the Client TrustStore file)

    1*MNJb5DROORJ6w7WLD2PVeg.png

    #6 Click on Create Shared Resource (or select an existing resource)

    1*5uWO2BEoOmT3IQlKaNHRHA.png
    1*AWt6UhPVqQqGZswkICaxVA.png

    If you create a new resource you can select to use the suggested name or enter a new one.

    #7 Configure the KeyStore provider for the client TrustStore (pointing to the Client TrustStore file)

    Select the Provider (SUN is the default value when nothing is selected), enter the path to the client TrustStore file and the client TrustStore file password (these values should be managed using properties). You may also need to adjust the Keystore type.

    Note that by default BusinessWorks is trying to refresh KeyStore files every hours, this allows a KeyStore to be updated without downtime (this is useful to manage Certificates expiry).

    1*EPL86tLZJGNOaGqnzMdNvg.png

    # 8 Enable Mutual Authentication and create an Identity Store provider (pointing to the Client KeyStore file)

    Check the ‘Enable Mutual Authentication’ option.
    Then click the button to select or create a Identity Store Provider.

    1*y37Exts9YwfYB_8qjQH_DA.png

    #9 Click on Create Shared Resource (or select an existing resource)

    1*ueZ5z-HygEwp9FiiIvaD3A.png

    If you create a new resource you can select to use the suggested name or enter a new one.

    #10 Configure the Identity Store provider (pointing to the Client KeyStore file)

    Select the Provider (SUN is the default value when nothing is selected), enter the path to the client KeyStore file and the client KeyStore file password (these values should be managed using properties). You may also need to adjust the Keystore type.

    Note that by default BusinessWorks is trying to refresh KeyStore files every hours, this allows a KeyStore to be updated without downtime (this is useful to manage Certificates expiry).

    1*Maq3GBr2IP0ZHEn2RocM0g.png

    # 11 Complete the configuration of the SSL Client resource

    Enter the Key Alias name and Key password (these values should be managed using properties).

    1*vWThn-fdRKTpv30JP1-Ofw.png

    Note : depending on the security requirements you have to manage you may need to adjust the values of some of the parameters present in the ‘Advanced SSL Client Configuration’ section.

    #12 Save your project and check the configuration

    The HTTP client resource should look like this :

    1*d60y0fckhnettzKLbO2bHg.png

    The SSL Client resource Configuration should look like this:

    1*ZU8GiJK-rpGhmFguwMddbw.png

    The configuration of the KeyStore provider resource for the client KeyStore should look like this:

    1*CkPa_nWe3QiXg_eTe-T00A.png

    The configuration of the KeyStore provider resource for the client TrustStore should look like this:

    1*Fpbb1PzhH2jdXNX8yYBBDQ.png

    Useful elements

    To write this article I used a set of sample Keystore files available at the following URL (download the x.509-sample-keys-and-certificates.zip file):
    https://www.swview.org/blog/sample-x509-certificate-collection-publicprivate-keys-java

    Article explaining how to access a REST API or a Service exposed over HTTPS using one way SSL :
    https://community.tibco.com/articles/tibco-activematrix-businessworks/bw6x-bwce-security-how-to-configure-an-http-client-connection-to-access-a-rest-api-or-web-services-exposed-over-https-in-businessworks-6x-and-businessworks-container-edition-r3387/

    Article explaining how to expose a REST API or a Service exposed over HTTPS using one way SSL :
    https://community.tibco.com/articles/tibco-activematrix-businessworks/bw6x-bwce-security-how-to-expose-an-api-or-a-service-in-https-in-businessworks-and-businessworks-container-edition-r3397/

    Article explaining how to debug SSL / TLS configuration in BusinessWorks :
    https://community.tibco.com/articles/tibco-activematrix-businessworks/bw6x-bwce-how-to-debug-ssltls-connections-in-businessworks-and-businessworks-container-edition-r3392/


    User Feedback

    Recommended Comments

    There are no comments to display.



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...