Usage of Evaluate Client Certificate with SSL support in Mediator and CentraSite Introduction Pre-requisite Configuration Configure keystore and truststore Asset Creation and Deployment Troubleshooting Introduction We have to use the Evaluate Client Certificate with SSL support run-time action only if we want to invoke the virtual service in secured port(https) and ensure that all messages use SSL protocol. When this policy action is set for the virtual service, Mediator ensures that requests are sent to the server using the HTTPS protocol (SSL). The policy also specifies whether the client certificate is required. This allows Mediator to verify the client sending the request. If the policy requires the client certificate and if it is not presented, Mediator rejects the message. When a client certificate is required by the policy, the Integration Server HTTPS port should be configured to request or require a client certificate. Pre-requisite This tuorial expects the users to have basic knowledge about the mediator and runtime scenarios. a. b. c. Create a web service asset in CentraSite Create a target instance in CentraSite pointing to the intended mediator deployment uri where its hosted. Create and Enable the HTTPS ports in Integration server to be usable in the mediator configurations. Configuration 1. Make sure that the security configuration is done in Mediator,For further guidance on that how to configure keystore and trust store refer the section below or look for Securing Communications with the Server in the webmethods Integration Server Administrator's Guide. 2. Enable the HTTPS port created in the Integration Server ports settings at the Mediator General page of the Mediator Administration screen. Configure keystore and truststore
If we want to deploy virtual services with the security policies apply,we have to first setup the security configuration settings in Mediator. 1. Go to the Mediator and click on Security > Key store, By default you would not find any information related to keystore added out of the box. Click on create keystore alias and and provide the certificate information as given below in the screen shots a. Provide the location of the keystore you wish to use,for this demo we are using a test keystore b. Provide the password for the keystore in the Password/Re-type passwod section
2. Once the key store alias is configured, you will find that information in the key store list. Now create a trust store alias by pointing to the "cacert" in the same location. a. C:\SoftwareAG\IntegrationServer\instances\default\packages\WmMediator\config\resources\security\cacerts b. password would be "changeit" c. Note: This trust store should have the information about the client certificate used in runtime, If its not there please import the certificate to the truststore. 3. Once the keystore and truststore are configured we should configure the client certificates by specifying the certificate path. a. In Mediator, if user authenticate against X.509 certificate, user has to map with certificate. Below is the configuration step to map the user. b. Go to location to where the certificate is available and select it. c. Select the user as "Administrator" or any valid IS user by searching the users in the configuration section by clicking the search icon next to search field. d. Once configured click on "Import Certificate" button and then the certificate would be added to the certificates list.
e. 4. Now configure the security information in Mediator. Open the Mediator console Go to General Configured Keystore and truststore information will be listed here. Choose the appropriate one. Asset Creation and Deployment Create a webservice and then click on Virtualize action in the Action's bar which would open the Virtualization screen as below, Provide the Virtual Service name and then select the endpoint which you want to create the proxy service
Once you click on the next button in the Message flow "Receive" select the option HTTP and HTTPS if you want to have support for both the transports In the same configuration screen under the Policy Enforcement section in the accordion drag and drop the policy action "Evaluate Client Certificate for SSL Connectivity" to the "Enforce" section. Under which you would find the mechanisms in which you can identify the consumers from, for this use case we have selected the "Registered Consumers". After the virtual service is created you now have to create a consumer application and add the certificate as part of it.
Click on Edit Action and then add the certificate you wish use as part of the consumer list. Now for the consumer application to be used as a consumer for the virtual service that we created, Go back to the virtual service and then click on the "Consume" action and search for the application in the consume dialog. Once the Consume action is successful you should be seeing an increment in the list of consumers in the Basic Information profile of the Virtual service.
Once done you can now proceed to publish the asset to the desired mediator instance. After successful deployment we can verify in the mediator administration screen about the virtual service and the consumer associated to it. VSD Snippet of the Evaluate Client Certificate with SSL support policy action will be as follows
VSD snippet <enforcement-actions allow-anon="false"> <expressions> <expression> <params identify="strict" type="httpscertificate" /> </expression> </expressions> </enforcement-actions> Service invocation request should look like this. Raw SOAP Request POST https://127.0.0.1:9797/ws/virtualservice_evaluateclientcertificate.virtualservice_eval uateclientcertificatesoap12https HTTP/1.1 Content-Type: application/soap+xml;charset=utf-8;action="urn:sayhello" Content-Length: 282 Host: 127.0.0.1:9797 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.1.1 (java 1.5) <soap:envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:axis="http://ws.apache.org/axis2"> <soap:header/> <soap:body> <axis:sayhello> <!--Optional:--> <axis:name>testing evaluate client certificate demo</axis:name> </axis:sayhello> </soap:body> </soap:envelope> Invocation response HTTP/1.1 200 OK Content-Type: application/soap+xml; charset=utf-8; action="urn:sayhello" Content-Length: 274 <?xml version='1.0' encoding='utf-8'?><soapenv:envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope"><soapenv:body><ns:sayhelloresp onse xmlns:ns="http://ws.apache.org/axis2"><ns:return>hello 9999</ns:return></ns:sayHelloResponse></soapenv:Body></soapenv:Envelope> Troubleshooting S.No Message Reason Steps to be taken 1. Access Denied exception The HTTPS port used for invocation is not enabled to be allowed by default Change the access mode from Deny+ to allow by default under the Ports Configuration
2. Consumer not identified The certificate used in the consumer application and the certificate passed in the soap request from the client is not matched Check for the certificate being passed from the client. 3. Service requires SSL mutual authentication while executing operation 4. Service requires SSL mutual authentication while executing operation 5. No Certificate was sent over HTTPS transport Identify Consumer using HTTPS Certificate requires communication over HTTPS transport 6 Service requires SSL mutual authentication while executing operation Certificate is not present in the SOAP request Certificate is not present in the SOAP request, if present check the latest WSStack Fix level The "Use JSSE" flag is set to "true" Certificate is not passed to the native service, The Client Authentication is set as "Username/Password" Check if the certificate is present in the soap request There has been a known issues fixed in known WSSTack fixes. Under the HTTPS port configurations the check if the "Use JSSE" flag is set to true if yes then reset it to false and enable the port. Change the client authentication mechanism to "Request Client Certificate" or "Require client certificate" under the HTTPS port configuration in IS