Using SSL in Platform connectors |
|
Using plain HTTP for communication over the Internet allows third parties to listen or maybe even tamper with the data being sent. To secure the communication that is sent between a client and the server, HTTPS can be used. The S stands for secure communication. The SSL and TLS protocols bring the security and privacy while communicating through HTTPS.
TLS is the successor of SSL. SSL itself is proven to be insecure, hence in practice only the TLS protocol is used.
Note: Whenever SSL is used below, it means TLS is also implied.
Involved components
There are couple of Platform connectors that have a specific Process Platform library that handles the validation of the SSL protocol. This library requests the Security Administration Trust store to validate the SSL certificate and does hostname verification. This means that the SSL certificates are maintained in the Process Platform Trust store.
Following connectors use this specific SSL socket library:
| Connector | Information |
|---|---|
| FTP Connector | See Creating a Configuration Profile for FTP Server. |
| HTTP Connector | See Developing web services using the HTTP connector. |
| UDDI Connector | See Working With External Web services. |
SSL/TLS validation
To validate SSL/TLS for these connectors:
- Check the certificate validity. See Certificate Validation for more information. The SSL protocol in general passes the whole chain of certificates to the client (Process Platform). This chain is passed to the Security Administration service in order to enable validation, even if the chain is not fully known within Process Platform. Integrity check on the chain is part of the certificate validation algorithm.
- Verify the requested server host name with the content of the certificate (subject or subjectAltName attributes).
Note: To disable hostname verification against the SSL certificate, use the following property:
certificatemanager.verifyhostname=true
UDDI SSL specific configuration settings
- For backward compatible properties related to UDDI, see UDDI Connector Properties.
- For backward compatibility and to disable hostname verification against the SSL certificate in the UDDI, use:
uddi.http.connection.verifyhostname=false
- To disable the validation of the SSL connection, use the configuration flag Ignore Certificate Validation. See UDDI Service Connection Parameters Interface for more information. As a result certificates and hostnames are not verified.
Client authentication with SSL
2-way SSL, also called client authentication, or mutual authenticated connections is based on certificates provided by both sides of the connection. Both, the client and server, provide a certificate to the other party to be validated.
When a connection is setup with 2-way SSL, the client validates the certificate by the server. This is done as described above, in the same way when no client authentication is done, validation is done against the Platform Trust store.
After the client validates the server certificate it sends the client certificate to the server for validation. The client certificate is taken from the configured key store. The connectors need access to the private key of the client certificate in order to authenticate itself with the external service. This information must be available in a Java key store (JKS) file on the server.
The following properties are used to configure the use of the JKS. They are put in the wcp.properties file or used as JVM property (-D..). See Service Container Properties Interface for more information. A JVM property setting overwrites usage in the wcp.properties.
The properties are checked in the following specific order:
| Property | Description |
|---|---|
cordys.net.ssl.keyStore |
Property to specify the path to the JKS. Example cordys.organization.acme.net.ssl.keyStore=\opt\pp108\certificates\keystore\uddi_external_ws.jks |
cordys.net.ssl.keyStorePassword |
The plain-text password to access the key store and the key in the key store. |
javax.net.ssl.keyStore |
Property to specify the path to the JKS. Example cordys.organization.acme.net.ssl.keyStore=\opt\pp108\certificates\keystore\uddi_external_ws.jks |
javax.net.ssl.keyStorePassword |
The plain-text password to access the key store and the key in the key store. |
To use a Java key store for 2-way SSL:
- Create or get a Java key store (JKS) with the client certificate and private key, and place it on the Process Platform server.
- Use the properties described above to specify the path to the JKS as key store and the password.
- Restart the connector.
Note: Each Java key store has only one client certificate.
Backward compatibility
For backward compatibility, use the uddi.keystore property. See Accessing External Web service using Client Certificate or HTTPS With UDDI for more information.
Note: This forces the UDDI service to work in the backward compatibility mode, where no integration with the Security Administration is used.