How to Implement Transport Layer Security in PowerCenter Web Services

Transcription

1 How to Implement Transport Layer Security in PowerCenter Web Services 2008 Informatica Corporation

2 Table of Contents Introduction... 2 Security in PowerCenter Web Services... 3 Step 1. Create the Keystore File... 4 Step 2. Create a Web Services Hub to Run in HTTPS Mode... 4 Step 3. Add the Web Services Hub Certificate to the Trust Store... 4 Exporting the Web Services Hub Certificate... 4 Adding the Web Services Hub Certificate to the Trust Store... 5 Step 4. Create a Web Service Workflow... 5 Create the Web Service Mapping... 5 Create the Web Service Workflow...7 Test the Web Service... 7 Step 5. Create a Web Service Client Workflow... 8 Create the Source and Target Definitions... 8 Create and Configure the Mapping... 8 Create an Application Connection Object... 9 Create the Client Workflow and Configure the Session... 9 Step 6. Run the Web Service over HTTPS Third-Party Web Service Providers and Clients Third-Party Web Service Called by a PowerExchange for Web Services Client Workflow Third-Party Web Service Client Calling a PowerCenter Web Service Introduction When a web service provider or web service client sends or receives data over the network, the data is subject to security risks. To reduce the risks, web service providers and clients must handle the following security issues: Authentication. Web service providers and clients must verify the identity of the user transmitting data and the origin of the data. Confidentiality. Web service providers and clients must prevent third parties from deciphering any intercepted data. Data integrity. Web service providers and clients must ensure that data is not lost, modified, or destroyed during transmission. To ensure confidentiality and data integrity, set up security at the message transport level. This means setting up a secure connection for the SOAP messages being transmitted between the web service provider and the web service client. Using HTTPS ensures the integrity and confidentiality of SOAP messages and provides point-to-point security. An HTTPS connection uses the public key infrastructure (PKI) to ensure security in the transfer of messages between the web service provider and the web service client. Typically, PKI includes the following components: Authentication certificate. A digital certificate that a certificate authority (CA) provides to verify and authenticate parties in Internet communications. A certificate authority is a trusted, independent third party that issues digital 2

3 certificates. Digital certificates from a CA are stored in a keystore. The digital certificate can also be a self-signed certificate generated by the web service provider. Trust store. A file that contains authentication certificates that a client uses to authenticate messages from web service providers. Client store. A file that contains authentication certificates that a web service provider uses to authenticate messages from the web service client. Security in PowerCenter Web Services To ensure transport layer security for web services in PowerCenter, the web service client authenticates the web service provider. When the client connects to the web service provider, it establishes an SSL session to authenticate the web service provider. The web service provider sends an authentication certificate to the client. The client verifies that the authentication certificate exists in the trust certificates file. To run secure web services in PowerCenter, create a Web Services Hub that uses the HTTPS protocol. A Web Services Hub that runs in HTTPS mode requires a keystore file that contains certificates for the Web Services Hub. It also requires that the cacerts keystore contain the Web Services Hub certificate. A client application that accesses a web service running in a secure Web Services Hub must authenticate the web service provider. When you use a PowerCenter for Web Services workflow as a client application, you must add the Web Services Hub certificate into the ca-bundle.crt trust store. This article shows a way to implement transport layer security in PowerCenter web services. It shows how to use PowerCenter as a web service provider and how to use PowerCenter for Web Services as a web service client. It provides instructions to create and access web services using a secure connection. The examples provided in the article illustrate the following processes: Using the keytool to create a keystore to generate a self-signed certificate for a secure Web Services Hub. Creating a Web Services Hub that uses the keystore file and runs in HTTPS mode. Creating a PowerCenter web service workflow. Using PowerExchange for Web Services to create a web service client workflow that would run the web service workflow. Adding the Web Services Hub certificate to the trust store used by the web service client. Running the web service client to access the web service over HTTPS. Before you can create and run the Web Services Hub and workflows described in this article, you must install and configure PowerCenter version 8.5 or later. This article assumes you have a basic working knowledge of PowerCenter and web services. To complete the examples in this article, perform the following steps: 1. Create a keystore file using the keytool utility. 2. Create a secure Web Services Hub. 3. Add the Web Services Hub certificate to the trust store. 4. Create a web service workflow. 5. Use PowerExchange for Web Services to create a web service client. 6. Run the web service client over a secure connection. 3

4 Step 1. Create the Keystore File Keytool is a key and certificate management utility that allows you to generate and administer private and public key pairs and associated certificates for use with the SSL security protocol. By default, keytool stores the keys and certificates in a file called a keystore. The file is secured with a password. Use the keytool utility to generate a keystore containing a self-signed digital certificate for use with a secure Web Service Hub. To create a keystore: 1. Locate the keytool utility in the directory where Java is installed: %JAVA_HOME%/jre/bin 2. On the command prompt, run the following command to generate the key: keytool -genkey -alias <KeystoreAlias> -dname "CN=<CommonName>, OU=<OrganizationUnit>, O=<OrganizationName>, L=<Locality>, S=<State>, C=<Country>" -keyalg RSA -keypass <KeystorePassword> -storepass <StorePassword> -keystore https.keystore You can use the Web Services Hub host name as the Keystore alias and the DN common name. Use the values appropriate for your organization for the other DN elements. For example: "CN=Hydra, OU=Research & Development, O=Informatica, L=Redwood City, S=CA, C=USA" Use the https.keystore file when you create a secure Web Services Hub. You can leave the keystore file in default location or copy the file to the directory where you keep security files. For more information about using the keytool utility and about generating a keystore and CA signed certificates for production use, see the following website: Step 2. Create a Web Services Hub to Run in HTTPS Mode Log in to the Administration Console and create a Web Services Hub. When you create the Web Services Hub, configure the following properties: URLScheme. Set to HTTPS. HubPortNumber (https). Set to an unused port number. KeystoreFile. Set to the path and file name of the keystore file named https.keystore created in Step 1. Create the Keystore File. Step 3. Add the Web Services Hub Certificate to the Trust Store PowerExchange for Web Services uses the ca-bundle.crt file as its default trust certificate file. This example uses a PowerExchange for Web Services workflow as the web service client. You need to export the Web Services Hub certificate and add it to the ca-bundle.crt trust store for use with the web service client. The procedure below is for the Internet Explorer browser. Exporting the Web Services Hub Certificate To export the Web Services Hub certificate: 1. Start the Web Services Hub Console 2. In the browser window, click the padlock icon next to the website address. 4

5 This is the Security Report icon that shows the web site identification. It appears only for web sites running in HTTPS mode. 3. In the Security Report window, click View Certificates. 4. Click the Details tab. 5. Select Authority Information Access from the field list and click Copy to file. 6. Use the Certificate Export Wizard to create the certificate file. - Set the format to DER encoded binary X.509 (.CER). - Specify the file name. 7. After you complete running the Certificate Export Wizard, click OK. Adding the Web Services Hub Certificate to the Trust Store To add to the ca-bundle.crt trust store: 1. Locate the file named ca-bundle.crt in the following directory: <PowerCenterInstallationDir>/server/bin 2. Use a text editor to open the ca-bundle.crt file. 3. Use a text editor to open the file containing the certificate exported from the Web Services Hub. 4. Copy the contents of the file containing the exported certificate and add it to the bottom of the ca-bundle.crt file. 5. Save the ca-bundle.crt file. 6. Close the Web Services Hub certificate file. Step 4. Create a Web Service Workflow Create a workflow to run as a web service on the secure Web Service Hub. In this example, you create a web service mapping and manually define the ports. Create the Web Service Mapping To create the web service mapping: 1. In the Designer, go to the Mapping Designer. 2. Click Mapping > Create Web Service Mapping > Use Source/Target definitions. 3. Enter a name for the web service mapping. 5

6 4. Add two source ports and one target port and click OK: - Two source ports. Name the ports Number01 and Number02 and set the datatype to integer. - One target port. Name the port Sum and set the datatype to integer. 5. Drag the mapping to the Mapping Designer workspace. 6. Add an Expression transformation with the following ports: - Two input ports. Drag the n_number01 and n_number02 ports from the Source Qualifier to the Expression transformation. - One output port. Add an output port named n_sum and set the expression to n_number01 + n_number Drag the n_sum output port from the Expression transformation to the n_sum input port in the target. 8. Validate and save the mapping. The mapping is shown in Figure 2: Figure 2: Web Service Mapping 6

7 Create the Web Service Workflow Create a session and workflow for the mapping you just created. To create the web service workflow: 1. In the Workflow Manager, go to the Task Developer. 2. Click Tasks > Create. 3. Select Session, enter a name for the session, and click Create. 4. Select the mapping you just created. 5. Go to the Workflow Designer and click Workflows > Create. 6. Enter a name for the workflow and enable the Web Services option. 7. Click Config Service and enter a name for the service. 8. Select the secure Web Service Hub you created in Step 2. Create a Web Services Hub to Run in HTTPS Mode to run the service. 9. Configure the service to be Visible and Runnable. 10. Drag the session into the workflow and create a link from Start to the session. 11. Save the workflow. Test the Web Service You can use the Try-It application in the Web Service Hub Console to test the web service. Verify that the web service generates the correct response before you invoke it from the web service client. To test the web service: 1. Start the Web Services Hub Console: 2. Verify that the web service workflow appears in the list of valid web services. 3. Select the web service and click Try-It. 7

8 4. Enter the numbers that you want the web service to add. Verify that the Web Services Hub Console displays the correct response in the Try-It window. 5. Close the Try-It window. Step 5. Create a Web Service Client Workflow Create a workflow that uses a Web Services Consumer transformation to access the web service running on a secure Web Services Hub. Create the Source and Target Definitions To create the flat file source and target definitions: 1. Create a text file named numbers.dat with the following content: 1,101,101 2,201,201 3,401,401 4,501,501 5,301, In the Designer, go to the Source Analyzer. 3. Import the flat file source definition from numbers.dat. When you import the source definition, keep the columns numeric and use the following names for the columns: Envelope, Number01, Number Create a flat file target definition with the names Envelope and Sum and set the datatype to bigint. The following source and target definitions shows the columns you need to add: Create and Configure the Mapping Create the mapping and add the source and target and a Web Service Consumer transformation. To create the mapping: 1. Create a mapping. 2. Drag the flat file source and target and the Web Services Consumer transformation into the mapping. 3. Add a Web Services Consumer transformation. 4. Import the addition operation from the WSDL of the web service that you created in Step 4. Create a Web Service Workflow. You can import directly from the Web Services Hub console: 5. Import the WSDL in the default entity relationship mode. 8

9 6. Link the following ports: - Link Envelope in the Source Qualifier to XPK_n4_Envelope in the Web Services Consumer transformation. - Link Number01 and Number02 in the Source Qualifier to n_number_01 and n_number_02 in the Web Services Consumer transformation. - Link XPK_n4_Envelope0 and n_sum in the Web Services Consumer transformation to Envelope and Sum in the Target definition. 7. Validate and save the mapping. Figure 6: Client Mapping Create an Application Connection Object The Web Services Consumer transformation requires a connection object that defines how the client workflow connects to the web service. To create the application connection: 1. In the Workflow Manager, click Connections > Application. 2. Click New. 3. Select the Web Services Consumer subtype and click Create. 4. Enter a name for the connection object. 5. Enter a user name and password to connect to the web service. The client workflow will not be authenticated by the web service provider. You can enter any user name and password. 6. Set the following properties: Attribute End Point URL Trust Certificates File Description URL to connect to the web service. Specify the WSDL of the addition web service created in Step 4. Create a Web Service Workflow: Location of the trust store file that contains the authentication certificates used to authenticate requests from web service providers. By default, the name of the trust store file is ca-bundle.crt. The file is installed in the following directory: <PowerCenterInstallationDir>/server/bin Create the Client Workflow and Configure the Session Create a workflow and session for the mapping you just created. Configure the Web Services Consumer transformation to use the application connection object you created. 9

10 To create the client workflow: 1. In the Workflow Manager, go to the Task Developer. 2. Click Tasks > Create. 3. Select Session, enter a name for the session, and click Create. 4. Select the mapping you just created. 5. Go to the Workflow Designer and click Workflows > Create. 6. Enter a name for the workflow. 7. Drag the session into the workflow and create a link from Start to the session. 8. Validate and save the workflow. 9. Edit the session and click the Mapping tab. 10. Select the Web Services Consumer transformation and set the connection to the application connection object you just created. 11. Save the workflow. Step 6. Run the Web Service over HTTPS Run the client workflow. The client workflow invokes the web service which is configured to run on the secure Web Services Hub. Verify that the target file for the client workflow contains the correct data after the workflow runs. Third-Party Web Service Providers and Clients The examples in this article highlight the use of PowerCenter web service provider and client features to illustrate how to implement transport layer security. As a web service provider, PowerCenter provides features such as a secure Web Services Hub and web service workflows. As a web service client, PowerCenter for Web Services provides features such as the Web Services Consumer transformation. You can also use PowerCenter as a web service provider to a third-party client application. Likewise, you can use PowerExchange for Web Services as a web service client for third-party web services. Third-Party Web Service Called by a PowerExchange for Web Services Client Workflow You can create a PowerExchange for Web Services workflow to invoke any web service available to you. Add a Web Service Consumer transformation and import the operation definition from the WSDL of the third-party web service. To invoke a third-party web service running on a secure connection from a PowerExchange for Web Services workflow, you must configure the following components: A web service that runs on a secure connection. Verify that the web service runs on a secure connection. Authentication certificate from the web service provider. If the web service runs on a secure connection, the web service provider must have an authentication certificate available for a secure handshake. Trust store with the authentication certificate. Add the certificate from the web service provider to the cabundle.crt trust store used by the PowerExchange for Web Services workflow. Third-Party Web Service Client Calling a PowerCenter Web Service You do not need to run a PowerExchange for Web Services workflow to invoke a PowerCenter web service. You can create a third-party web service client, such as a Java application, to invoke a PowerCenter web service. 10

11 To invoke a PowerCenter web service through a secure connection, you must configure the following components: A keystore for a secure Web Services Hub. Create a keystore for use with a secure Web Services Hub. A secure Web Services Hub. Create a Web Services Hub running in HTTPS mode. A trust store used by the client. Determine the trust store used by the client to authenticate web service providers. Add the Web Services Hub certificate to the trust store. Authors Sumeet K. Agrawal Senior Software Engineer - QA Sumeet has been a member of the Informatica web services team for a number of years. His main interests are databases, cryptography, and real-time systems. Marissa R. Johnston Principal Technical Writer 11