SSL (Secure Sockets Layer) is a standard security technology used for establishing an encrypted link between a web server and a client. SSL encryption technology works on two key principle–a Public key known to every one and a Private key which is known only to the intended recipient. SSL based secure communication is enabled by the use of SSL Certificates.
In TIBCO, security is of a prime concern when integrating different applications and services. Communication between different applications over the network in a safe and secure manner is enabled by the use of certification mechanism of SSL. The other options available to implement security in TIBCO Services is by using LDAP based authentication or simple username, password based authentication.
In this Step by Step tutorial on SSL, I will explain how we can use a Self Signed Certificate for SSL communication in TIBCO. However in real time scenarios, you won’t be using self signed certificates; rather you will go for a CA (Certificate Authority) signed certificate.
Self Signed Certificates are useful only for testing purpose while developing secure services in TIBCO.
Step 1: Create a Certificate in TIBCO using JAVA Keytool
Keytool is a utility provided by JAVA SDK to create your own SSL certificates. Keytool can be found inside your JAVA installation in your machine. In my case; I have keytool utility available at the following path:
To generate a key file with both Public and Private keys; use following command:
keytool -genkey -keyalg RSA -alias ajmal_certificate -keystore keystore.jks -storepass tibco@ajmal -validity 360 -keysize 2048
- alias is used to give a name to your key. It should be unique for its purpose. Here it is ajmal_certificate.
- keyalg is encryption algorithm type. Here it is RSA.
- storepass is the password affiliated to the repository. Here it is tibco@ajmal
- keystore.jks is name of the file which acts as repository keys.
- validity specified as 360 means this certificate will remain valid for 360 days.
When you run this command, you are asked some questions like your organization name, your full name etc. Just give some values for these and a file keystore.jks will be created which will have both Public and Private keys in it.
Step 2: Export Public Key from JKS File and Publish it
Once you have created JKS file with a Public-Private key pair in it, your second step is to extract the Public key from the JKS file and then publish it to the world.
To export public key from JKS file, run the following command:
keytool -export -alias ajmal_certificate -storepass tibco@ajmal -file ajmal_server.cer -keystore keystore.jks
Now we have our Public key in certificate file (ajmal_server.cer). We can give this certificate file to any client who wants to communicate with our server where we will have the key installed.
Step 3: Install SSL Certificate Key on Server Side
Using TIBCO Designer create a new project (I named it SSLServer). In the project, create a new Identity (available in General Palette).
For Identity configuration, choose Identity File in the type and browse for the JKS file in the URL. Make sure that you add 3 slashes in the file name otherwise you will get an error.
In the File Type choose JKS and give the password. Password should be same that you used while creating the JKS file.
Complete configuration of Identity at the server side will look like below:
Now let us create HTTP connection and configure SSL for it. In HTTP Connection configuration, check Use SSL option. Then click on Configure SSL button and choose the identity.
HTTP Connection configuration will look like below:
Now our SSL configured HTTP Connection is ready at server side. Create a new process and use same HTTP Connection in the HTTP receiver. The process will look like below:
Step 4: Import and Install Certificate on Client Side
Get the certificate file from the server authority (in this case ajmal_server.cer) and paste it in some folder in your client machine.
Now run the following import command to import the certificate:
keytool -import -v -trustcacerts -alias ajmal_certificate -file ajmal_server.cer -keystore my-cert.jks -keypass tibco@ajmal -storepass tibco@ajmal
Now the certificate has been successfully stored in the file my-cert.jks in the client side.
We can now move forward to create a client project in TIBCO Designer to use the certificate.
Create a new project using TIBCO Designer. I named the project as SSLClient. In the project, create a new folder with the name Security.
In the Security folder, add a new Identity from Genral Palette. For Identity, choose the JKS file and specify other parameters in the same way as we did for Identity activity at the server side.
Configuration of Identity at the client project will look like below:
Now we need to import the certificate in our project in PEM format. For this; go to Tools–>Trusted Certificates–>Import Into PEM format. Then it will ask you to choose the certificate. Choose ajmal_server.cer for this.
Your imported certificate will now appear in the project as shown below:
Now we can move towards creation of a new process in the client side to send a request to the server with SSL encryption enabled.
The process will be as follows:
Step 5: Test Client and Server Processes with SSL
Our final step in this tutorial is to test that our SSL based client and server processes are able to communicate. Load both the processes in designer tester (in separate projects).
As you can see below request has been sent successfully from the client and response has been received: