How to Implement Transport Layer Security in PowerCenter Web Services



Similar documents
How to Implement Two-Way SSL Authentication in a Web Service

SSL Certificate Generation

Exchange Reporter Plus SSL Configuration Guide

Configuring Secure Socket Layer (SSL) for use with BPM 7.5.x

Chapter 1: How to Configure Certificate-Based Authentication

Configuring Secure Socket Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Systems That Use Oracle WebLogic 10.

Using LDAP Authentication in a PowerCenter Domain

Installing Digital Certificates for Server Authentication SSL on. BEA WebLogic 8.1

Customizing SSL in CA WCC r11.3 This document contains guidelines for customizing SSL access to CA Workload Control Center (CA WCC) r11.3.

RHEV 2.2: REST API INSTALLATION

Configuring SSL in OBIEE 11g

How to Configure a Secure Connection to Microsoft SQL Server

KMIP installation Guide. DataSecure and KeySecure Version SafeNet, Inc

Enable SSL in Go2Group SOAP Server

Configuring TLS Security for Cloudera Manager

HTTPS Configuration for SAP Connector

Universal Content Management Version 10gR3. Security Providers Component Administration Guide

Configuring the JBoss Application Server for Secure Sockets Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Web

SETUP SSL IN SHAREPOINT 2013 (USING SELF-SIGNED CERTIFICATE)

Enterprise Content Management System Monitor 5.1 Security Considerations Revision CENIT AG Brandner, Marc

IBM Security QRadar Vulnerability Manager Version User Guide

Entrust Certificate Services. Java Code Signing. User Guide. Date of Issue: December Document issue: 2.0

Configuring an Oracle Business Intelligence Enterprise Edition Resource in Metadata Manager

PowerCenter Real-Time Development

Copyright 2013 EMC Corporation. All Rights Reserved.

CA Nimsoft Unified Management Portal

Creating and Managing Certificates for My webmethods Server. Version 8.2 and Later

Configure Managed File Transfer Endpoints

Director and Certificate Authority Issuance

SSL CONFIGURATION GUIDE

IUCLID 5 Guidance and Support

This document uses the following conventions for items that may need to be modified:

SafeNet KMIP and Google Cloud Storage Integration Guide

SSL Configuration Best Practices for SAS Visual Analytics 7.1 Web Applications and SAS LASR Authorization Service

Iowa Immunization Registry Information System (IRIS) Web Services Data Exchange Setup. Version 1.1 Last Updated: April 14, 2014

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

SSL Configuration on Weblogic Oracle FLEXCUBE Universal Banking Release [August] [2014]

Trend Micro Worry-Free Remote Manager Agent Installation Guide

SafeNet KMIP and Amazon S3 Integration Guide

Cisco Prime Central Managing Certificates

DISTRIBUTED CONTENT SSL CONFIGURATION AND TROUBLESHOOTING GUIDE

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

Cisco SSL Encryption Utility

C O N F I G U R I N G O P E N L D A P F O R S S L / T L S C O M M U N I C A T I O N

Oracle Identity Manager

Securing Adobe connect Server and CQ Server

Oracle Enterprise Manager Installation and Configuration Guide for IBM Tivoli Enterprise Console Connector Release

Customer Tips. Xerox Network Scanning HTTP/HTTPS Configuration using Microsoft IIS. for the user. Purpose. Background

Configuring IBM WebSphere Application Server 7 for Secure Sockets Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Web

MadCap Software. Upgrading Guide. Pulse

Security Guide vcenter Operations Manager for Horizon View 1.5 TECHNICAL WHITE PAPER

PowerChute TM Network Shutdown Security Features & Deployment

Creating an authorized SSL certificate

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

Configuring HTTPS support. Overview. Certificates

Setting Up SSL on IIS6 for MEGA Advisor

Junio SSL WebLogic Oracle. Guía de Instalación. Junio, SSL WebLogic Oracle Guía de Instalación CONFIDENCIAL Página 1 de 19

Enabling SSL and Client Certificates on the SAP J2EE Engine

Steps to import MCS SSL certificates on a Sametime Server. Securing LDAP connections to and from Sametime server using SSL

Setup Guide Access Manager 3.2 SP3

etoken Enterprise For: SSL SSL with etoken

CHAPTER 7 SSL CONFIGURATION AND TESTING

VMware vrealize Operations for Horizon Security

SolarWinds Technical Reference

SSO Plugin. Case study: Integrating with Ping Federate. J System Solutions. Version 4.0

Oracle Fusion Applications Splitting Topology from Single to Multiple Host Servers

Wavecrest Certificate

Enterprise Content Management System Monitor. How to deploy the JMX monitor application in WebSphere ND clustered environments. Revision 1.

Service Manager 9.32: Generating SSL Profiles for an F5 HWLB

RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide

Funambol Exchange Connector v6.5 Installation Guide

Usage of Evaluate Client Certificate with SSL support in Mediator and CentraSite

Connect to an SSL-Enabled Microsoft SQL Server Database from PowerCenter on UNIX/Linux

Integrating EJBCA and OpenSSO

Secure Transfers. Contents. SSL-Based Services: HTTPS and FTPS 2. Generating A Certificate 2. Creating A Self-Signed Certificate 3

ADFS Integration Guidelines

VMware vrealize Operations for Horizon Security

Enabling SSO between Cognos 8 and WebSphere Portal

Using etoken for Securing s Using Outlook and Outlook Express

HP Device Manager 4.7

IBM Unica emessage Version 8 Release 6 February 13, Startup and Administrator's Guide

C-Series How to configure SSL

Deploying Remote Desktop IP Virtualization Step-by-Step Guide

ECA IIS Instructions. January 2005

Oracle ebs Adapter Installation and Configuration Guide

Secure IIS Web Server with SSL

Use Enterprise SSO as the Credential Server for Protected Sites

Application Note AN1502

Using Microsoft Windows Authentication for Microsoft SQL Server Connections in Data Archive

Getting Started Guide

AUSTRALIAN CUSTOMS AND BORDER PROTECTION SERVICE TYPE 3 CERTIFICATE 2014 INSTALLATION GUIDE

Understanding Digital Certificates and Secure Sockets Layer (SSL)

Working with Portecle to update / create a Java Keystore.

Setup Guide Access Manager Appliance 3.2 SP3

Driver for Oracle E-Business Suite (User Management, HR, and TCA) Implementation Guide

NSi Mobile Installation Guide. Version 6.2

S/MIME on Good for Enterprise MS Online Certificate Status Protocol. Installation and Configuration Notes. Updated: October 08, 2014

BlackBerry Enterprise Service 10. Version: Configuration Guide

Transcription:

How to Implement Transport Layer Security in PowerCenter Web Services 2008 Informatica Corporation

Table of Contents Introduction... 2 Security in PowerCenter Web Services... 3 Step 1. Create the Keystore File... 4 Step 2. Create a Web Services Hub to Run in HTTPS Mode... 4 Step 3. Add the Web Services Hub Certificate to the Trust Store... 4 Exporting the Web Services Hub Certificate... 4 Adding the Web Services Hub Certificate to the Trust Store... 5 Step 4. Create a Web Service Workflow... 5 Create the Web Service Mapping... 5 Create the Web Service Workflow...7 Test the Web Service... 7 Step 5. Create a Web Service Client Workflow... 8 Create the Source and Target Definitions... 8 Create and Configure the Mapping... 8 Create an Application Connection Object... 9 Create the Client Workflow and Configure the Session... 9 Step 6. Run the Web Service over HTTPS... 10 Third-Party Web Service Providers and Clients... 10 Third-Party Web Service Called by a PowerExchange for Web Services Client Workflow... 10 Third-Party Web Service Client Calling a PowerCenter Web Service... 10 Introduction When a web service provider or web service client sends or receives data over the network, the data is subject to security risks. To reduce the risks, web service providers and clients must handle the following security issues: Authentication. Web service providers and clients must verify the identity of the user transmitting data and the origin of the data. Confidentiality. Web service providers and clients must prevent third parties from deciphering any intercepted data. Data integrity. Web service providers and clients must ensure that data is not lost, modified, or destroyed during transmission. To ensure confidentiality and data integrity, set up security at the message transport level. This means setting up a secure connection for the SOAP messages being transmitted between the web service provider and the web service client. Using HTTPS ensures the integrity and confidentiality of SOAP messages and provides point-to-point security. An HTTPS connection uses the public key infrastructure (PKI) to ensure security in the transfer of messages between the web service provider and the web service client. Typically, PKI includes the following components: Authentication certificate. A digital certificate that a certificate authority (CA) provides to verify and authenticate parties in Internet communications. A certificate authority is a trusted, independent third party that issues digital 2

certificates. Digital certificates from a CA are stored in a keystore. The digital certificate can also be a self-signed certificate generated by the web service provider. Trust store. A file that contains authentication certificates that a client uses to authenticate messages from web service providers. Client store. A file that contains authentication certificates that a web service provider uses to authenticate messages from the web service client. Security in PowerCenter Web Services To ensure transport layer security for web services in PowerCenter, the web service client authenticates the web service provider. When the client connects to the web service provider, it establishes an SSL session to authenticate the web service provider. The web service provider sends an authentication certificate to the client. The client verifies that the authentication certificate exists in the trust certificates file. To run secure web services in PowerCenter, create a Web Services Hub that uses the HTTPS protocol. A Web Services Hub that runs in HTTPS mode requires a keystore file that contains certificates for the Web Services Hub. It also requires that the cacerts keystore contain the Web Services Hub certificate. A client application that accesses a web service running in a secure Web Services Hub must authenticate the web service provider. When you use a PowerCenter for Web Services workflow as a client application, you must add the Web Services Hub certificate into the ca-bundle.crt trust store. This article shows a way to implement transport layer security in PowerCenter web services. It shows how to use PowerCenter as a web service provider and how to use PowerCenter for Web Services as a web service client. It provides instructions to create and access web services using a secure connection. The examples provided in the article illustrate the following processes: Using the keytool to create a keystore to generate a self-signed certificate for a secure Web Services Hub. Creating a Web Services Hub that uses the keystore file and runs in HTTPS mode. Creating a PowerCenter web service workflow. Using PowerExchange for Web Services to create a web service client workflow that would run the web service workflow. Adding the Web Services Hub certificate to the trust store used by the web service client. Running the web service client to access the web service over HTTPS. Before you can create and run the Web Services Hub and workflows described in this article, you must install and configure PowerCenter version 8.5 or later. This article assumes you have a basic working knowledge of PowerCenter and web services. To complete the examples in this article, perform the following steps: 1. Create a keystore file using the keytool utility. 2. Create a secure Web Services Hub. 3. Add the Web Services Hub certificate to the trust store. 4. Create a web service workflow. 5. Use PowerExchange for Web Services to create a web service client. 6. Run the web service client over a secure connection. 3

Step 1. Create the Keystore File Keytool is a key and certificate management utility that allows you to generate and administer private and public key pairs and associated certificates for use with the SSL security protocol. By default, keytool stores the keys and certificates in a file called a keystore. The file is secured with a password. Use the keytool utility to generate a keystore containing a self-signed digital certificate for use with a secure Web Service Hub. To create a keystore: 1. Locate the keytool utility in the directory where Java is installed: %JAVA_HOME%/jre/bin 2. On the command prompt, run the following command to generate the key: keytool -genkey -alias <KeystoreAlias> -dname "CN=<CommonName>, OU=<OrganizationUnit>, O=<OrganizationName>, L=<Locality>, S=<State>, C=<Country>" -keyalg RSA -keypass <KeystorePassword> -storepass <StorePassword> -keystore https.keystore You can use the Web Services Hub host name as the Keystore alias and the DN common name. Use the values appropriate for your organization for the other DN elements. For example: "CN=Hydra, OU=Research & Development, O=Informatica, L=Redwood City, S=CA, C=USA" Use the https.keystore file when you create a secure Web Services Hub. You can leave the keystore file in default location or copy the file to the directory where you keep security files. For more information about using the keytool utility and about generating a keystore and CA signed certificates for production use, see the following website: http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html Step 2. Create a Web Services Hub to Run in HTTPS Mode Log in to the Administration Console and create a Web Services Hub. When you create the Web Services Hub, configure the following properties: URLScheme. Set to HTTPS. HubPortNumber (https). Set to an unused port number. KeystoreFile. Set to the path and file name of the keystore file named https.keystore created in Step 1. Create the Keystore File. Step 3. Add the Web Services Hub Certificate to the Trust Store PowerExchange for Web Services uses the ca-bundle.crt file as its default trust certificate file. This example uses a PowerExchange for Web Services workflow as the web service client. You need to export the Web Services Hub certificate and add it to the ca-bundle.crt trust store for use with the web service client. The procedure below is for the Internet Explorer browser. Exporting the Web Services Hub Certificate To export the Web Services Hub certificate: 1. Start the Web Services Hub Console https://<wshubhostname>:<portnumber>/wsh 2. In the browser window, click the padlock icon next to the website address. 4

This is the Security Report icon that shows the web site identification. It appears only for web sites running in HTTPS mode. 3. In the Security Report window, click View Certificates. 4. Click the Details tab. 5. Select Authority Information Access from the field list and click Copy to file. 6. Use the Certificate Export Wizard to create the certificate file. - Set the format to DER encoded binary X.509 (.CER). - Specify the file name. 7. After you complete running the Certificate Export Wizard, click OK. Adding the Web Services Hub Certificate to the Trust Store To add to the ca-bundle.crt trust store: 1. Locate the file named ca-bundle.crt in the following directory: <PowerCenterInstallationDir>/server/bin 2. Use a text editor to open the ca-bundle.crt file. 3. Use a text editor to open the file containing the certificate exported from the Web Services Hub. 4. Copy the contents of the file containing the exported certificate and add it to the bottom of the ca-bundle.crt file. 5. Save the ca-bundle.crt file. 6. Close the Web Services Hub certificate file. Step 4. Create a Web Service Workflow Create a workflow to run as a web service on the secure Web Service Hub. In this example, you create a web service mapping and manually define the ports. Create the Web Service Mapping To create the web service mapping: 1. In the Designer, go to the Mapping Designer. 2. Click Mapping > Create Web Service Mapping > Use Source/Target definitions. 3. Enter a name for the web service mapping. 5

4. Add two source ports and one target port and click OK: - Two source ports. Name the ports Number01 and Number02 and set the datatype to integer. - One target port. Name the port Sum and set the datatype to integer. 5. Drag the mapping to the Mapping Designer workspace. 6. Add an Expression transformation with the following ports: - Two input ports. Drag the n_number01 and n_number02 ports from the Source Qualifier to the Expression transformation. - One output port. Add an output port named n_sum and set the expression to n_number01 + n_number02. 7. Drag the n_sum output port from the Expression transformation to the n_sum input port in the target. 8. Validate and save the mapping. The mapping is shown in Figure 2: Figure 2: Web Service Mapping 6

Create the Web Service Workflow Create a session and workflow for the mapping you just created. To create the web service workflow: 1. In the Workflow Manager, go to the Task Developer. 2. Click Tasks > Create. 3. Select Session, enter a name for the session, and click Create. 4. Select the mapping you just created. 5. Go to the Workflow Designer and click Workflows > Create. 6. Enter a name for the workflow and enable the Web Services option. 7. Click Config Service and enter a name for the service. 8. Select the secure Web Service Hub you created in Step 2. Create a Web Services Hub to Run in HTTPS Mode to run the service. 9. Configure the service to be Visible and Runnable. 10. Drag the session into the workflow and create a link from Start to the session. 11. Save the workflow. Test the Web Service You can use the Try-It application in the Web Service Hub Console to test the web service. Verify that the web service generates the correct response before you invoke it from the web service client. To test the web service: 1. Start the Web Services Hub Console: https://<wshubhostname>:<port>/wsh 2. Verify that the web service workflow appears in the list of valid web services. 3. Select the web service and click Try-It. 7

4. Enter the numbers that you want the web service to add. Verify that the Web Services Hub Console displays the correct response in the Try-It window. 5. Close the Try-It window. Step 5. Create a Web Service Client Workflow Create a workflow that uses a Web Services Consumer transformation to access the web service running on a secure Web Services Hub. Create the Source and Target Definitions To create the flat file source and target definitions: 1. Create a text file named numbers.dat with the following content: 1,101,101 2,201,201 3,401,401 4,501,501 5,301,301 2. In the Designer, go to the Source Analyzer. 3. Import the flat file source definition from numbers.dat. When you import the source definition, keep the columns numeric and use the following names for the columns: Envelope, Number01, Number 02. 4. Create a flat file target definition with the names Envelope and Sum and set the datatype to bigint. The following source and target definitions shows the columns you need to add: Create and Configure the Mapping Create the mapping and add the source and target and a Web Service Consumer transformation. To create the mapping: 1. Create a mapping. 2. Drag the flat file source and target and the Web Services Consumer transformation into the mapping. 3. Add a Web Services Consumer transformation. 4. Import the addition operation from the WSDL of the web service that you created in Step 4. Create a Web Service Workflow. You can import directly from the Web Services Hub console: https://<hostname>:<portnumber>/wsh/services/realtime/<webservicename>?wsdl 5. Import the WSDL in the default entity relationship mode. 8

6. Link the following ports: - Link Envelope in the Source Qualifier to XPK_n4_Envelope in the Web Services Consumer transformation. - Link Number01 and Number02 in the Source Qualifier to n_number_01 and n_number_02 in the Web Services Consumer transformation. - Link XPK_n4_Envelope0 and n_sum in the Web Services Consumer transformation to Envelope and Sum in the Target definition. 7. Validate and save the mapping. Figure 6: Client Mapping Create an Application Connection Object The Web Services Consumer transformation requires a connection object that defines how the client workflow connects to the web service. To create the application connection: 1. In the Workflow Manager, click Connections > Application. 2. Click New. 3. Select the Web Services Consumer subtype and click Create. 4. Enter a name for the connection object. 5. Enter a user name and password to connect to the web service. The client workflow will not be authenticated by the web service provider. You can enter any user name and password. 6. Set the following properties: Attribute End Point URL Trust Certificates File Description URL to connect to the web service. Specify the WSDL of the addition web service created in Step 4. Create a Web Service Workflow: https://<webservicehubhostname>:<port>/wsh/services/realtime/<webservicename>?wsdl Location of the trust store file that contains the authentication certificates used to authenticate requests from web service providers. By default, the name of the trust store file is ca-bundle.crt. The file is installed in the following directory: <PowerCenterInstallationDir>/server/bin Create the Client Workflow and Configure the Session Create a workflow and session for the mapping you just created. Configure the Web Services Consumer transformation to use the application connection object you created. 9

To create the client workflow: 1. In the Workflow Manager, go to the Task Developer. 2. Click Tasks > Create. 3. Select Session, enter a name for the session, and click Create. 4. Select the mapping you just created. 5. Go to the Workflow Designer and click Workflows > Create. 6. Enter a name for the workflow. 7. Drag the session into the workflow and create a link from Start to the session. 8. Validate and save the workflow. 9. Edit the session and click the Mapping tab. 10. Select the Web Services Consumer transformation and set the connection to the application connection object you just created. 11. Save the workflow. Step 6. Run the Web Service over HTTPS Run the client workflow. The client workflow invokes the web service which is configured to run on the secure Web Services Hub. Verify that the target file for the client workflow contains the correct data after the workflow runs. Third-Party Web Service Providers and Clients The examples in this article highlight the use of PowerCenter web service provider and client features to illustrate how to implement transport layer security. As a web service provider, PowerCenter provides features such as a secure Web Services Hub and web service workflows. As a web service client, PowerCenter for Web Services provides features such as the Web Services Consumer transformation. You can also use PowerCenter as a web service provider to a third-party client application. Likewise, you can use PowerExchange for Web Services as a web service client for third-party web services. Third-Party Web Service Called by a PowerExchange for Web Services Client Workflow You can create a PowerExchange for Web Services workflow to invoke any web service available to you. Add a Web Service Consumer transformation and import the operation definition from the WSDL of the third-party web service. To invoke a third-party web service running on a secure connection from a PowerExchange for Web Services workflow, you must configure the following components: A web service that runs on a secure connection. Verify that the web service runs on a secure connection. Authentication certificate from the web service provider. If the web service runs on a secure connection, the web service provider must have an authentication certificate available for a secure handshake. Trust store with the authentication certificate. Add the certificate from the web service provider to the cabundle.crt trust store used by the PowerExchange for Web Services workflow. Third-Party Web Service Client Calling a PowerCenter Web Service You do not need to run a PowerExchange for Web Services workflow to invoke a PowerCenter web service. You can create a third-party web service client, such as a Java application, to invoke a PowerCenter web service. 10

To invoke a PowerCenter web service through a secure connection, you must configure the following components: A keystore for a secure Web Services Hub. Create a keystore for use with a secure Web Services Hub. A secure Web Services Hub. Create a Web Services Hub running in HTTPS mode. A trust store used by the client. Determine the trust store used by the client to authenticate web service providers. Add the Web Services Hub certificate to the trust store. Authors Sumeet K. Agrawal Senior Software Engineer - QA Sumeet has been a member of the Informatica web services team for a number of years. His main interests are databases, cryptography, and real-time systems. Marissa R. Johnston Principal Technical Writer 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information