How to install an SSL/TLS Certificate on Pega IAC Gateway (Web Mashup)
My customer wishes to embed Pega functionality in their company portal for their end-users to access. So we are using Pega Internet Application Gateway (IAC), 'prgateway' to implement a Gadget which can be embedded into the customer's webpage. So far so good. However, the customer wishes to use SSL, and their network architecture has an IBM application called "DataPower" situated between the server where prgateway is to run and the PRPC system. So the network architecture looks like this:
End-User's browser -> Customer's portal with Pega Gadget -> prgateway -> IBM DataPower -> Pega PRPC.
The prgateway is installed Ok, and we can connect to the IAC Console on it with a browser. So, we go to 'Host Configuration' and start configuring a host, providing the URL of the DataPower system (which will relay the connection on to PRPC). AT this point we run into trouble. When click "Test Connection" we get red lights and the error message "Since this is a secure connection, SSL certificates need to be added in Gateway TrustStore, click install SSL certificates".
And, next to the 'PRPC Host URL' textbox two new icons have appeared, 'View certificate chain' and 'Trust this site'. When click 'View certificate chain', the correct certificate information appears, showing Issued To and Issued By information. But, when click 'Trust this site' an error message appears "Could not retrieve following CA certificate(s) from the server, install them manually: 1. <the correct certificate info here>".
My customer wishes to embed Pega functionality in their company portal for their end-users to access. So we are using Pega Internet Application Gateway (IAC), 'prgateway' to implement a Gadget which can be embedded into the customer's webpage. So far so good. However, the customer wishes to use SSL, and their network architecture has an IBM application called "DataPower" situated between the server where prgateway is to run and the PRPC system. So the network architecture looks like this:
End-User's browser -> Customer's portal with Pega Gadget -> prgateway -> IBM DataPower -> Pega PRPC.
The prgateway is installed Ok, and we can connect to the IAC Console on it with a browser. So, we go to 'Host Configuration' and start configuring a host, providing the URL of the DataPower system (which will relay the connection on to PRPC). AT this point we run into trouble. When click "Test Connection" we get red lights and the error message "Since this is a secure connection, SSL certificates need to be added in Gateway TrustStore, click install SSL certificates".
And, next to the 'PRPC Host URL' textbox two new icons have appeared, 'View certificate chain' and 'Trust this site'. When click 'View certificate chain', the correct certificate information appears, showing Issued To and Issued By information. But, when click 'Trust this site' an error message appears "Could not retrieve following CA certificate(s) from the server, install them manually: 1. <the correct certificate info here>".
So the questions:
1. Has anyone else had problems installing SSL certificates in IAC Gateway Console?
2. I have installed 'OpenSSL' on my development system, connected to the DataPower URL and successfully downloaded the SSL certificate. Does anyone know how to go about manually installing this in the Pega IAC Gateway?
Thanks for any help
Martin Conboy
Accepted Solution
Updated: 3 May 2016 13:48 EDT
Pegasystems Inc.
GB
Hi All,
Ok, thanks to everyone out there who has taken the time to read my question and particular thanks to those who have replied with helpful answers. I now have a functioning solution (well, it is not fully functional but at least the SSL bit works).
The keystore used by the IAC gateway is in the .war file in the directory /WEB-INF/lib, the file is called 'prgateway.jks', it is password protected and the password is "changeit".
The SSL Certificate for the URL that you need to communicate with, can be obtained using 'OpenSSL'. OpenSSL is a freeware command-line application, run it from a cmd prompt and use the command:
prompt>s_client -connect <the_url_in_question>:<portno>
And quite a bit of output scrolls up the screen, and in among it we should have
-----BEGIN CERTIFICATE-----\r\n<a block of base64-encoded gibberish>\r\n-----END CERTIFICATE-----
Cut and paste all of this including the BEGIN- and END- into notepad or similar and save to disk with the extension ".cer". That is your certificate.
To add the certificate to the keystore, you need 'keytool', which is a utility that comes bundled with the Java JDK. Like OpenSSL it is a command-line utility. So: download and install the Java JDK on your laptop (make life easy for yourself and dont use a directory with a space char in the name). Open a cmd window, and add the jdk bin directory to your path:
Hi All,
Ok, thanks to everyone out there who has taken the time to read my question and particular thanks to those who have replied with helpful answers. I now have a functioning solution (well, it is not fully functional but at least the SSL bit works).
The keystore used by the IAC gateway is in the .war file in the directory /WEB-INF/lib, the file is called 'prgateway.jks', it is password protected and the password is "changeit".
The SSL Certificate for the URL that you need to communicate with, can be obtained using 'OpenSSL'. OpenSSL is a freeware command-line application, run it from a cmd prompt and use the command:
prompt>s_client -connect <the_url_in_question>:<portno>
And quite a bit of output scrolls up the screen, and in among it we should have
-----BEGIN CERTIFICATE-----\r\n<a block of base64-encoded gibberish>\r\n-----END CERTIFICATE-----
Cut and paste all of this including the BEGIN- and END- into notepad or similar and save to disk with the extension ".cer". That is your certificate.
To add the certificate to the keystore, you need 'keytool', which is a utility that comes bundled with the Java JDK. Like OpenSSL it is a command-line utility. So: download and install the Java JDK on your laptop (make life easy for yourself and dont use a directory with a space char in the name). Open a cmd window, and add the jdk bin directory to your path:
prompt>set PATH=%PATH%;C:\tools\Java\jdk1.8.0_51\bin
Then ensure that the keystore file, and the certificate are all in the current directory, then the command is
prompt>keytool -import -trustcacerts -storepass changeit -keystore C:\my_dir\prgateway.jks -alias MyCertAlias -file C:\my_dir\MyCertFilename.cer
And Robert's your Mother's brother.
Thanks everyone!
Martin Conboy
Pegasystems Inc.
GB
Hi Arvind
My copy of ‘prgateway.war’ (which is what the IAC Gateway deployment file is called) does not have any file or folder inside it called ‘prgateway.jks’. I also have the IAC gateway files ‘prgateway.war’ that came with Pega716, and Pega719 versions as well. None of those files have a ‘prgateway.jks’ file/folder inside the .war file either.
Please excuse my ignorance, but I have absolutely no experience whatever of manually installing SSL certificates, so please do not assume any prior knowledge on my part. If you could tell me where I can find this 'prgateway.jks' file, and what tools I need to open it and insert my certificate, I would be very grateful.
Thanks and regards
Martin Conboy
Pegasystems Inc.
GB
Hi Arvind,
Thanks! Yes, that is where the file is. Now, how to insert my SSL certificate into it? 7-zip will not open it...
I will google for this answer.
Virtusa IT Consulting
AE
Hi Martin,
You can find the unzipped folder 'prgateway' on the server where you have deployed the .war file.
For instance on tomcat the location would be 'C:\apache-tomcat-7.0.32\webapps\prgateway\WEB-INF\lib'
Thanks,
Habeeb Baig
Pegasystems Inc.
GB
Hi Arvand,
Yes, I see now, I need to use 'keytool' utility. This utility comes with java jdk. I have downloaded and installed a java jdk and now I have it.
Ok, now keytool is asking for a password for the keystore 'prgateway.jks' I have tried the obvious "prpc", "pega", "rules", "admin", "password", any ideas?
Thanks
Cognizant Technology Solutions
US
Martin,
I am interested to know the reason to use the IBM Data Power as a middle layer between gateway and PRPC?
Pegasystems Inc.
GB
Good question, I don’t know. It is customer’s decision to use IBM DataPower. They have their reasons – and the customer is always right.
I can ask, gently. If I find out anything, I will update.
Pegasystems Inc.
US
IBM DataPower is a well-known SOA platform. Is this a new implementation? prgateway is no longer needed per our latest recommendation. I will send you a link for details (to be published soon on pdn).
Pegasystems Inc.
GB
Hi Kevin,
It is not a completely new installation, the customer is running Pega7.1.8, this is an enhancement to add a web mashup.
I was thinking of running without IAC gateway, just using the gateway to generate the javascript files and the gadget html, but then editing the gadget html to connect to prpc via dataPower directly, without the gateway.
All the documentation I have read (and there is lots on the PDN) suggest we should use IAC gateway to manage the cookies and the session information.
So - I am not sure if trying to use the gadget without the gateway is a safe thing to do, a good idea - I simply do not know.
ConEdison
US
Hi Kevin,
Would you mind sending the documentation to me as well? we are doing a new web mash up implementation for internet facing app and facing many challenges. If gateway is out of the configuration, one challenge is out of our way.Thanks.
Pegasystems Inc.
US
In your Pega 7 application you can create mashup gadgets directly from any case type:
- Open your case type from the Cases explorer
- On the Settings tab, select Integration
- Generate mashup code
- Deploy the generated mashup gadget as part of your website - no gateway required!
Note: these steps are for Pega 7.2.1, see the Pega 7 help resources for details on your version
Starting with Pega 7.2.1 you can now specify the origins that can embed Pega Web Mashup gadgets to avoid the need for a reverse proxy:
- Open your application record
- On the Integration & Security tab, go to the Mashup security section
- List your trusted website origins
Look for more details on the PDN to be released in concert with Pega 7.2.1
ConEdison
US
Thanks David. I just tried it with an existing case and it looks very promising. My use case is just to expose a harness, let me play around with it a little bit and then I will get back here with additional questions.
Pegasystems Inc.
US
Hi Martin,
As Kevin noted, the gateway is no longer required. Given that you have a datapower device, you can use it to handle host aliasing for avoiding cross domain issues as well as sticky sessions and cookies - even with Pega 7.1.8.
Pegasystems Inc.
GB
Hi David, Kevin,
That is absolutely great. This solution is exactly what is needed. Kevin's documentation discusses configuration for several applications that can be used as reverse-proxy server, specifically Nginx, Microsoft IIS, F5 BigIP, Cisco, Amazon Cloudfront.
Unfortunately Kevin's document does not discuss configuration of IBM DataPower.
Do we have anywhere some sort of guide, or any information at all, about how to configure IBM DataPower to function as a reverse-proxy server for Pega Web mashup? Any help would be greatly appreciated.
Thanks,
Martin C
Accepted Solution
Updated: 3 May 2016 13:48 EDT
Pegasystems Inc.
GB
Hi All,
Ok, thanks to everyone out there who has taken the time to read my question and particular thanks to those who have replied with helpful answers. I now have a functioning solution (well, it is not fully functional but at least the SSL bit works).
The keystore used by the IAC gateway is in the .war file in the directory /WEB-INF/lib, the file is called 'prgateway.jks', it is password protected and the password is "changeit".
The SSL Certificate for the URL that you need to communicate with, can be obtained using 'OpenSSL'. OpenSSL is a freeware command-line application, run it from a cmd prompt and use the command:
prompt>s_client -connect <the_url_in_question>:<portno>
And quite a bit of output scrolls up the screen, and in among it we should have
-----BEGIN CERTIFICATE-----\r\n<a block of base64-encoded gibberish>\r\n-----END CERTIFICATE-----
Cut and paste all of this including the BEGIN- and END- into notepad or similar and save to disk with the extension ".cer". That is your certificate.
To add the certificate to the keystore, you need 'keytool', which is a utility that comes bundled with the Java JDK. Like OpenSSL it is a command-line utility. So: download and install the Java JDK on your laptop (make life easy for yourself and dont use a directory with a space char in the name). Open a cmd window, and add the jdk bin directory to your path:
Hi All,
Ok, thanks to everyone out there who has taken the time to read my question and particular thanks to those who have replied with helpful answers. I now have a functioning solution (well, it is not fully functional but at least the SSL bit works).
The keystore used by the IAC gateway is in the .war file in the directory /WEB-INF/lib, the file is called 'prgateway.jks', it is password protected and the password is "changeit".
The SSL Certificate for the URL that you need to communicate with, can be obtained using 'OpenSSL'. OpenSSL is a freeware command-line application, run it from a cmd prompt and use the command:
prompt>s_client -connect <the_url_in_question>:<portno>
And quite a bit of output scrolls up the screen, and in among it we should have
-----BEGIN CERTIFICATE-----\r\n<a block of base64-encoded gibberish>\r\n-----END CERTIFICATE-----
Cut and paste all of this including the BEGIN- and END- into notepad or similar and save to disk with the extension ".cer". That is your certificate.
To add the certificate to the keystore, you need 'keytool', which is a utility that comes bundled with the Java JDK. Like OpenSSL it is a command-line utility. So: download and install the Java JDK on your laptop (make life easy for yourself and dont use a directory with a space char in the name). Open a cmd window, and add the jdk bin directory to your path:
prompt>set PATH=%PATH%;C:\tools\Java\jdk1.8.0_51\bin
Then ensure that the keystore file, and the certificate are all in the current directory, then the command is
prompt>keytool -import -trustcacerts -storepass changeit -keystore C:\my_dir\prgateway.jks -alias MyCertAlias -file C:\my_dir\MyCertFilename.cer
And Robert's your Mother's brother.
Thanks everyone!
Martin Conboy