How to Install SSL certificates in TIBCO ActiveMatrix BusinessWorks? HTTP client/Server?

Table of Contents

• Step 1: Server Certificate.
  • 1.1 Generate Key
  • 1.2 Install key at server side.
• Step 2: Importing the certificate and installing it at client side.
  • 2.1 Import the key
  • 2.2 Install in ActiveMatrix BusinessWorks
• OpenSSL

Step 1: Server Certificate.

1.1 Generate Key

As you own the server, you will have to create a certificate that will uniquely identify your server. To create the certificate you can use a command line utility called 'keytool' which is shipped with the java jdk and jre. The command we'll use is

 keytool -genkey -alias server-alias -keyalg RSA -keypass yourpassword -storepass yourpassword -keystore keystore.jks

short summary of the keytool options used:

After typing in this command, you will be asked questions, and answer accordingly. In the end, your key, called server-alias, will be stored in the repository file, keystore.jks. This entry in keystore.jks will have a public as well as a private key. You now need to publish the public key to the world. Use the following command to extract the public key from the entry which you created earlier.

keytool -export -alias server-alias -storepass yourpassword -file server.cer -keystore keystore.jks

The public key, aka certificate, will be stored in the file named server.cer. You can give this file to anyone who wants to connect to your server.

1.2 Install key at server side.

1.2.1 Identity

You have your public/private key pair with you.

Create an Identity in your TIBCO ActiveMatrix BusinessWorks? project.

Choose type Identity file. Provide URL as path_to your_keystore.jks.

The path "file://X:..." is not valid. You need to add an extra / to make it "file:///X:..".

Give the filetype 'JKS' and password.

Save the identity.

1.2.2 HTTP Connection.

Create an HTTP Connection and use SSL.

Configure SSL with the identity you have created above.

This step does not include instructions to enable client authentication. This is enough for the server side.

Step 2: Import the certificate and install it on the client side.

2.1 Import the key

Get the server.cer from the server authority which is publicly available.

Import the public key into your trust store.

The Trust store is a repository of all trusted certificates at the client side.

Use the command:

keytool -import -v -trustcacerts -alias server-alias -file server.cer -keystore cacerts.jks -keypass yourkeypass -storepass yourstorepass

Here all the values .. ie:  -alias, -keypass, -storepass are local.

You need not have to worry about which values the server authority used while creating the key pair.

As this command succeeds, you will have a public key imported in the local keystore, cacerts.jks.

2.2 Install in ActiveMatrix BusinessWorks

2.2.1 Identity

Create an identity using file cacerts.jks.

2.2.2 Certificate in PEM format

In the BusinessWorks project, import the public certificate using the menu option:

Tools>Trusted Certificates>Import into PEM format.

It is advisable to keep this certificate in a separate folder to skip unnecessary processing.

Create 'HTTP send Request' and use SSL.

In the configuration, provide client identity 2.2.1 and folder name where you saved the certificate in PEM format 2.2.2.

Hope this helps

Refer this link for more details on keytool.

Keytool Tutorial

OpenSSL

In addition to using 'keytool', We can use openssl commands. The openssl program is available for both indows and Linux platforms.

To create identities using openssl you can refer commands below.

Create a private key and certificate signing request attached to that private key.

 openssl req -new -newkey rsa:des3:1024 -keyout (hostkey).pem -out (hostcsr).pem 

This will create a private key file, (hostkey).pem, and its corresponding certificate request file, (hostcsr).pem.

To export the private key to pkcs8 format, the following command will do:

 openssl pkcs8 -topk8 -inform PER -outform DER -in (private.key) -out (private).p8

To create the certificate chain, you need to get the file, (hostcsr).pem, signed by a certification authority. Here we will create our own certification authority and get (hostcsr).pem signed by it. To get an idea of how to create your own Certificate Authority, please refer to the steps at the end of this document. Assuming that we have created our own certification authority, the following command will sign (hostcsr).pem with ca certificate.

 openssl ca -in (hostcsr).pem -out (host_signed.x509).pem

There are various formats available for the publication of certificates. We will use PKCS#12 and PKCS#7.

• PKCS#12 contains information about certificate chains as well as private keys.
• PKCS#7 contains information only about public certificate chains.

To convert (host_signed.x509).pem to PKCS#12 format, use the command:

 openssl pkcs12 -export -in (host_signed.x509).pem -inkey (privkey).pem -out cred.p12

To convert (host_signed.x509).pem to PKCS#7 format, the following command will do.

openssl crl2pkcs7 -nocrl -certfile (host_signed.x509).pem -out (host_signed.x509).p7b

Entities obtained using above commands can be used in installing client and server ssl.

My own certification authority

details of ca are in file /usr/lib/ssl/openssl.cnf

Assume that we want to setup our own ca in directory /home/me/workspace/myca.

create this directory structure.

go to myca - cd /home/me/workspace/myca

create following files and directories in myca

mkdir newcerts

mkdir private (CA private key resides here)

echo 00 > serial (this file keeps sequence number of certificates signed by your CA, the number is incremented every time your CA signs a new certificate)

cat > demoCA/index.txt (database of sign activities, contains information about previously signed certificates by your CA)

create a self signed privatekey and certificate.

openssl req -x509 -days 999 -newkey rsa:des3:1024 -keyout private/cakey.pem -out cacart.pem

Use this ca to sign other certificates.

Every time you want to sign a new certificate you need to come to this directory and issue ca command.

openssl ca -in (path to hostcsr.pem) -out (path to host_signed.x509.pem)

ssl_certificates_0.pptx