Introduction:
This article describes how to protect a web service using transport level security and how to authenticate using the WS-Security Username token. Here we are going to learn WS-Security and Transport Layer Security (TLS) when working with outbound integrations using the web services integration component in IBM® Business Process Manager V8.0.
Overview:
This article will describe how authentication is enabled between two services by using the Username token. It will also describe the use of Secure Sockets Layer (SSL) to transport SOAP messages between a client and a web service over HTTP. IBM Business Process Manager V8.0 provides a web services integration component that enables IBM BPM services to invoke external web services. The integration component provides the support to discover web services, generate IBM BPM data types corresponding to WSDLs, and exchange SOAP messages with remote services.
Web services invocation needs security. Commonly, this is achieved by using Transport Layer Security (TLS) or Secure Sockets Layer (SSL) to secure request and response message exchanges. This approach has some limitations, for example, when using an intermediary to route messages. In this case, because the intermediary will need to decrypt data, it would help to secure message parts independent of transport security. Because WS-Security protocol helps you encrypt SOAP messages, it enhances security when routing messages through intermediaries.
Implementation:
In this article, we will learn at how to secure web services requests from IBM BPM using the web services integration component. The below figure illustrated an instance of the web services requester and a web services provider, each configured to support transport and message-level security.
The following steps to are require to complete WS-Security in IBM BPM.
- Set up the keystores.
- Create Service Provider Sample.
- Configure Transport Layer
- Create an IBM BPM sample.
- Test the Application.
Set up the keystores:
In this section we will set up two keystores, one to be used by IBM BPM and the other by the web services provider. We will use those keystores to contain the personal certificate as well as the signer certificates (public keys) of the interaction partner. In addition, we will use the keystore in our configuration to support SSL as well as message-level security. To create a keystore for IBM BPM, complete the following steps:
Run ‘ikeyman.bat’ under IBM BPM installation directory /bin
Select Key Database File => New.
Select JKS as the key database type; specify IBMBPMKey.jks as the file name, and choose an appropriate directory for the key file,
At the password prompt enter a password of your choice, Here I enter password ‘Ibm@key’ and click OK.
Now we need to create a new self-signed certificate. This represents a personal certificate and contains a public and private key pair. The private key is used by IBM BPM to sign the outbound request message and to decrypt the incoming response message.
The public key will be extracted as the signer certificate and imported into the trust store of the web services provider. This enables the web services provider to verify the digital signature is also used for encrypting the outbound request message. In addition, by adding the IBM BPM public key to the trust store of the web services provider, it can be used to authenticate IBMBPM during SSL handshake (client authentication).
Select Create à New Self-Signed Certificate and specify the following:
Key label: IBMClientCertificate
Common Name: amir-eai.blogspot.in
Organization: EAI
Then click on OK.
Create Service Provider Sample:
Right click on ‘CustomerServiceSoapBinding’ and select MockService.
Selecting Extract Certificate, then specify the following:
Data type: Base 64 encoded ASCII data
Certificate file name: IBMClientCertificate.arm
Location: D:\Keys (or any directory of your choice)
Then click on Ok.
To create a keystore for Web Service Provider, complete the following steps:
Repeat the steps in Create the keystore for IBM BPM to create a keystore for the web services provider.
Service Provide Key name : ServiceProviderKey.jks
Password : Eai@key
Self-signed certificate
Key label: SPCertificate
Common Name: amir-eai.blogspot.in
Organization: EAI
Service Provider Extracted certificate info:
Data type: Base 64 encoded ASCII data
Certificate file name: SPCertificate.arm
Location: D:\Keys (or any directory of your choice)
Now you're ready to exchange the certificates and import them into the respective truststores: IBMClientCertificate.arm will be added to ServiceProviderKey.jks and SPCertificate.arm to IBMBPMKey.jks. Remember that for the purpose of this article we're using the same file for both the keystore and the trust store.
1.Using ikeyman, open ServiceProviderKey.jks and select Signer Certificates under Key database content. Select Add and specify as shown below:
Click OK and enter a label of IBMClientCertificate.
Open IBMBPMKey.jks and select Signer Certificates under Key database content. Select Add and specify as shown below:
Click OK and specify a label of SPCertificate.
Launch SoapUI and create SOAP UI project called ‘CustomerService’ with initial ‘CustomerService’ WSDL then click on OK.
Double-click Response1 for getCustomer to open the SOAP Response window and enter the following code, as shown below.
Configure Transport Layer:
In this section we will learn to perform steps required to enable SSL (HTTPS) between IBM BPM and the web services provider.
First we will configure for IBM BPM.
Log in to the Web Sphere Integrated Solutions Console.
Select Security => SSL certificate and key management. Select Key stores and certificates.
Click New to define a new keystore. This keystore will use the IBMBPMKey.jks that we created earlier using ikeyman. Enter the information as shown below Figure and click OK:
Select Security => SSL certificate and key management, and then select SSL Configurations.
Click New to create a new SSL configuration and enter the following information, as shown in below Figure. Click on ‘Get Certificate aliases’ near keystore name. It will load the keystore.
Click OK and save to the master configuration.
Now we need to create a dynamic outbound SSL configuration. To do this, select Security => SSL certificate and key management and select Dynamic outbound endpoint SSL configuration, then click New to create a new configuration entry. Specify the following information, as shown below Figure.
Click OK and save to the master configuration. Restart IBM BPM
Now we will configure web services provider to enable communication using SSL.
Open SOAP UI select File => Preferences => SSL Settings. Specify the information, as shown in below figure.
Click OK. Now the web services provider can accept SSL requests on port 8444.
Create an IBM BPM sample:
Open IBM Process Designer. Create a process application called ‘CustomerProcessApp’. Open the application.
Create Integration Service and name as ‘WSTesterIS’.
Save the changes. Now we are completed IBM BPM application creation.
Test the Application:
Open Soap UI project, Right click on ‘CustomerServiceSoapBinding MockService’ and select Restart.
Switch to IBM Process Designer, Open ‘WSTesterIS’ click on ‘Debug Service’
Now it will open ‘IBM Business Process Manager Service Debug’ click on step to display result.
Now it will display the response from Service provider which we have created in SOAP UI response mock service.
Web services requests and responses are also logged in the web services provider. We can find the details in the mock services message log as shown below Figure.
Conclusion:
In this article, we learned how we can configure IBM BPM in order to enable WS-Security and Transport Layer Security when interacting with secure web services using the web services integration component. Using a tool such as SOAP UI, we can easily verify the configuration independent of the availability of an actual web-service provider
Download:
File Name | Description | Size | Download |
WS-Security. zip | Sample Code | 780 KB | |
WS-Security in IBM BPM.pdf | Develop WS security in IBM BPM | 1 MB |
