How to Implement Two-Way SSL Authentication in a Web Service

Transcription

1 How to Implement Two-Way SSL Authentication in a Web Service 2011 Informatica

2 Abstract You can configure two-way SSL authentication between a web service client and a web service provider. This article explains how to configure the SSL authentication with an Informatica Data Services web service and a soapui web service client. Supported Versions Informatica Data Services Table of Contents Overview HTTPS Public Key Infastructure Components Security in Informatica Data Services Web Services Configuration Tasks Step 1. Create Web Service Provider Keystore File Step 2. Create a Keystore File for the Client Certificate Step 3. Import the Certificates in the Trust Store Step 4. Configure the Data Integration Service for Two-Way Authentication Step 5. Create a Web Service Client with SoapUI Overview When a web service provider or web service client sends data over the network, the data is subject to security risks. To reduce the risks, the web service provider or client must resolve the following security issues: Authentication. Verify the identity of the user transmitting data and the origin of the data. Confidentiality. Prevent third parties from deciphering intercepted data. Data Integrity. Ensure that data is not lost, modified, or destroyed during transmission. To ensure confidentiality and data integrity, you can configure security at the message transport level. Configure a secure connection for the SOAP messages transmitted between the web service provider and the web service client. Use HTTPS to ensure the integrity and confidentiality of SOAP messages and provide point-to-point security. This article describes the following processes: Create a keystore with the keytool utility. Generate a self-signed certificate for a secure Data Integration Service. Generate a web service client certificate using the keytool utility. Import client and server certificates to a trust store. Configure the Data Integration Service for two-way SSL authentication. Use the soapui tool to consume a web service. 2

3 HTTPS Public Key Infastructure Components An HTTPS connection uses a public key infrastructure (PKI) to ensure security for message transfer between the web service provider and the web service client. Typically, PKI includes the following components: Authentication certificate. A digital certificate that a certificate authority (CA) provides to verify and authenticate parties in internet communications. A certificate authority is a trusted, independent third party that issues digital certificates. A keystore contains digital certificates from a CA. A digital certificate can also be a signed certificate that the web service provider generates. Trust store. A file that contains authentication certificates that a client uses to authenticate messages from the web service provider. Client store. A file that contains authentication certificates that a web service provider uses to authenticate messages from the web service client. Security in Informatica Data Services Web Services To ensure transport layer security for web services in Informatica Data Services, the web service client authenticates the web service provider and vise versa. In two-way SSL authentication, the SSL client application verifies the identity of the SSL server application, and the SSL server application verifies the identity of the SSL client application. Two-way SSL authentication is also referred to as client authentication because the SSL client application presents a certificate to the SSL server after the SSL server authenticates itself to the SSL client. The following figure shows the certificate configuration for two-way SSL authentication between applications: Configuration Tasks Before you can create the example described in this article, you must install Informatica Data Services and deploy a web service to a Data Integration Service. To complete the examples in this article, perform the following steps: 1. Create a keystore file for the web service provider certificate using the keytool utility. 2. Create a keystore file for web service client certificate using keytool utility. 3. Import the certificates in the trust store using the keytool utility. 4. Configure the Data Integration Service for two-way authentication. 5. Use soapui to create a web service client. 6. Run the web service client over a secure connection. 3

4 Step 1. Create Web Service Provider Keystore File Use the keytool utility to generate a keystore containing a signed digital certificate to use with a secure web service. Keytool is a key and certificate management utility that you can use to generate and administer private and public key pairs and associated certificates for use with the SSL security protocol. By default, keytool stores the keys and certificates in a file called a keystore. The file is secured with a password. For information about using the keytool utility to generate a keystore, see the following website: 1. Open a command prompt and navigate to the following directory: %JAVA_HOME%/jre/bin 2. Run the following command to generate the key: keytool -genkey -alias <KeystoreAliasforserver> -dname "CN=<CommonName>, OU=<OrganizationUnit>, O=<OrganizationName>, L=<Locality>, S=<State>, C=<Country>" -keyalg RSA -keypass <KeystorePassword> - storepass <StorePassword> -keystore server.keystore 3. To export the key to the server.cert security certificate file, run the following command: keytool -export -alias <KeystoreAliasforserver> -storepass <StorePassword> -file server.cert -keystore server.keystore If the command is successful, the command prompt displays the following message: Certificate stored in file server.cert. Step 2. Create a Keystore File for the Client Certificate Use the keytool utility to generate a keystore containing a signed digital certificate for a web service client. 1. From the command prompt, run the following command to generate the key: keytool -genkey -alias <KeystoreAliasforclient> -dname "CN=<CommonName>, OU=<OrganizationUnit>, O=<OrganizationName>, L=<Locality>, S=<State>, C=<Country>" -keyalg RSA -keypass <KeystorePassword> - storepass <StorePassword> -keystore client.keystore You can use the client host name as the keystore alias and the DN common name. Use the values appropriate for your organization for the other DN elements. 2. Run the following command to generate client certificate in PKCS12 format: keytool -genkey -alias <KeystoreAliasforclient> -dname "CN=<CommonName>, OU=<OrganizationUnit>, O=<OrganizationName>, L=<Locality>, S=<State>, C=<Country>" -keyalg RSA -storetype PKCS12 -keypass <KeystorePassword> -storepass <StorePassword> -keystore client.p12 3. Run the following command to export the key to a security certificate file named client.cert: keytool -export -alias <KeystoreAliasforclient> -storepass <StorePassword> -file client.cert -keystore client.p12 -storetype PKCS12 If the command is successful, the command prompt displays the following message: Certificate stored in file client.p12 Step 3. Import the Certificates in the Trust Store Import the client and server certificates in the trust store with the keytool utility. 1. Run the following command to import the contents of the server.cert file to the client trust store file: keytool -import -alias <KeystoreAliasforserver> -keystore client.keystore -file server.cert The keystore utility prompts you to enter a keystore password. The keystore password is the value of the keypass parameter from Step 1. 4

5 2. Run the following command to import the contents of the client.cert file to server trust store file: keytool -import -alias <KeystoreAliasforclient> -keystore server.keystore -file client.cert The keystore utility prompts you to enter a keystore password. The keystore password is the value of the keypass parameter from Step 2. Step 4. Configure the Data Integration Service for Two-Way Authentication Configure two-way authentication in the Administrator tool. Edit the security options for the Data Integration Service. 1. Open the Administrator tool. 2. Select the Data Integration Service in the Domain Navigator. 3. Click the Processes tab. 4. In the Service Process Properties, edit the Data Integration Security Options. 5. Enter a HTTPS Port number and click OK. 6. Click HTTP Configuration Options and enter the following fields: Field Keystore file Keystore password Trust store file Trust store password Description Path to the server.keystore file. Keypass for the server.keystore file. Path to the server.keystore file. Keypass for the server.keystore file. 7. Click OK. Step 5. Create a Web Service Client with SoapUI Create a web service client using the soapui tool. SoapUI is an open source web service testing tool that you can use as the web service client. Before you can import a WSDL to a soapui project, you must configure the SSL settings. 1. Open the soapui client and click File > SSL Setting. 2. Browse for the location of the client keystore file. 5

6 3. Enter the keystore password. After you configure the SSL settings, you can import the WSDL to the project and run the web service. Author Sumeet K. Agrawal Senior QA Engineer 6