Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Discussion

 Prabaharan Pandian (pandp1)
PEGA
Senior Principal Cloud Operations Engineer, Infrastructure
Pegasystems Inc.
US
pandp1 Member since 2015 6 posts
PEGA
Posted: Nov 21, 2018
Last activity: Jan 19, 2021
Posted: 21 Nov 2018 2:29 EST
Last activity: 19 Jan 2021 15:35 EST
Closed

SSL configuration for SOAP/REST connectors

Scenario 1: one-way SSL- only the client validates the endpoint server’s identity and the endopint server does not validate the client’s idendity

In this case, we need to have a truststore configured in connect-SOAP configuration and the SSL certificate of corresponding endpoint should be availabe in that truststore(JKS). As shown below, the connectivity will fail if the truststore is not configured.

 

1-way SSL

 

 

 

1-way SSL

 

1-way SSL

 

Valid configuration for one-way SSL

Test connectivity gives a success response when the trust store component is configured with appropriate SSL certificate.

 

 

 

1-way SSL

1-way SSL

 

1-way SSL

1-way SSL

Scenario 2: two-way SSL- Client validates the endpoint server’s identity and the endopint server validates the client’s idendity

The endpoint server is configured with two-way SSL. So, connectivity to endpoint will fail if we do not configure the valid keystore parameter along with the truststore. As shown below, only the truststore is defined in SOAP connector configuration without keystore. So, the connectivity fails as expected.

2-way SSL

2-way SSL

 

 

Valid configuration for two-way SSL

For the same scenario, truststore and keystore parameters are configured appropriately to facilitate the 2-way SSL communication and the test connectivity gives success response.

2-way SSL

 

 

 

 

2-way SSL

2-way SSL

2-way SSL

TLS configuration

As a standard practice, the endpoint server should be configured to support the latest TLS version. As of now, TLS 1.2 should be preferred one. If the endpoint supports TLS 1.2, then connect-SOAP/REST (client side) rule will work fine with any value (TLS 1.0,1.1 and 1.2). However, some old servers still serve with older TLS versions (TLS 1.0 and 1.1) possibly due to some dependency with the tools being used. In those cases, the SOAP connector must be configured with corresponding TLS version.

Note: TLS version configured in Connect-SOAP configuration is termed as “Lowest allowable SSL/TLS version”. Given below is the list of accepted TLS versions for the respective configuration.

Value of “Lowest allowable SSL/TLS version” parameter

Accepted TLS version at client(pega) side

Remarks

SSL version 3

SSLv3, TLSv1.0, TLSv1.1, TLSv1.2

SSLv3 is deprecated, should not be used

TLS version 1.0

TLSv1.0, TLSv1.1, TLSv1.2

 

TLS version 1.1

TLSv1.1, TLSv1.2

 

TLS version 1.2

TLSv1.2

Should be the preferred one

 

TLS version mismatch

Test case 1: Connectivity Succeeds

TLS version at destination server-1.2

TLS version at source(pega)-1.1

TLS

TLS

 

 

Test case 2: Connectivity Succeeds

TLS version at destination server-1.2

TLS version at source(pega)-1.2

 

TLS

TLS

 

Test case 3: Connectivity Fails

TLS version at destination server-1.1

TLS version at source(pega)-1.2

 

TLS

TLS

To see attachments, please log in.
Pega Platform
Dev/Designer Studio
Cloud Services
System Administration

  • Bukhari Saheb Shaik Wilhelm Mauch Premkanth Gudipati Trina Roy Gaurav Londhe

Related content:

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice